CVE-2023-52879 - OpenCVE

Link	Providers
https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706
https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976
https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d
https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e
https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f
https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4
https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0
https://lore.kernel.org/linux-cve-announce/2024052122-CVE-2023-52879-fa4d@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2023-52879
https://www.cve.org/CVERecord?id=CVE-2023-52879

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-52879", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-21T15:19:24.265Z", "datePublished": "2024-05-21T15:32:11.263Z", "dateUpdated": "2024-11-04T14:54:27.196Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T14:54:27.196Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Have trace_event_file have ref counters\n\nThe following can crash the kernel:\n\n # cd /sys/kernel/tracing\n # echo 'p:sched schedule' > kprobe_events\n # exec 5>>events/kprobes/sched/enable\n # > kprobe_events\n # exec 5>&-\n\nThe above commands:\n\n 1. Change directory to the tracefs directory\n 2. Create a kprobe event (doesn't matter what one)\n 3. Open bash file descriptor 5 on the enable file of the kprobe event\n 4. Delete the kprobe event (removes the files too)\n 5. Close the bash file descriptor 5\n\nThe above causes a crash!\n\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n RIP: 0010:tracing_release_file_tr+0xc/0x50\n\nWhat happens here is that the kprobe event creates a trace_event_file\n\"file\" descriptor that represents the file in tracefs to the event. It\nmaintains state of the event (is it enabled for the given instance?).\nOpening the \"enable\" file gets a reference to the event \"file\" descriptor\nvia the open file descriptor. When the kprobe event is deleted, the file is\nalso deleted from the tracefs system which also frees the event \"file\"\ndescriptor.\n\nBut as the tracefs file is still opened by user space, it will not be\ntotally removed until the final dput() is called on it. But this is not\ntrue with the event \"file\" descriptor that is already freed. If the user\ndoes a write to or simply closes the file descriptor it will reference the\nevent \"file\" descriptor that was just freed, causing a use-after-free bug.\n\nTo solve this, add a ref count to the event \"file\" descriptor as well as a\nnew flag called \"FREED\". The \"file\" will not be freed until the last\nreference is released. But the FREE flag will be set when the event is\nremoved to prevent any more modifications to that event from happening,\neven if there's still a reference to the event \"file\" descriptor."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/trace_events.h", "kernel/trace/trace.c", "kernel/trace/trace.h", "kernel/trace/trace_events.c", "kernel/trace/trace_events_filter.c"], "versions": [{"version": "e6807c873d87", "lessThan": "961c4511c757", "status": "affected", "versionType": "git"}, {"version": "407bf1c140f0", "lessThan": "a98172e36e5f", "status": "affected", "versionType": "git"}, {"version": "fa6d449e4d02", "lessThan": "cbc7c29dff0f", "status": "affected", "versionType": "git"}, {"version": "a46bf337a20f", "lessThan": "2fa74d29fc18", "status": "affected", "versionType": "git"}, {"version": "9beec0437013", "lessThan": "2c9de867ca28", "status": "affected", "versionType": "git"}, {"version": "f5ca233e2e66", "lessThan": "9034c87d61be", "status": "affected", "versionType": "git"}, {"version": "f5ca233e2e66", "lessThan": "bb32500fb9b7", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/trace_events.h", "kernel/trace/trace.c", "kernel/trace/trace.h", "kernel/trace/trace_events.c", "kernel/trace/trace_events_filter.c"], "versions": [{"version": "6.6", "status": "affected"}, {"version": "0", "lessThan": "6.6", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.262", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.202", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.140", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.64", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.5.13", "lessThanOrEqual": "6.5.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.1", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e"}, {"url": "https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f"}, {"url": "https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0"}, {"url": "https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976"}, {"url": "https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706"}, {"url": "https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d"}, {"url": "https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4"}], "title": "tracing: Have trace_event_file have ref counters", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52879", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-21T16:59:47.559597Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:23:30.864Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:18:41.182Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:18:41.182Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52879", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-21T16:59:47.559597Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:25.231Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "tracing: Have trace_event_file have ref counters", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "e6807c873d87", "lessThan": "961c4511c757", "versionType": "git"}, {"status": "affected", "version": "407bf1c140f0", "lessThan": "a98172e36e5f", "versionType": "git"}, {"status": "affected", "version": "fa6d449e4d02", "lessThan": "cbc7c29dff0f", "versionType": "git"}, {"status": "affected", "version": "a46bf337a20f", "lessThan": "2fa74d29fc18", "versionType": "git"}, {"status": "affected", "version": "9beec0437013", "lessThan": "2c9de867ca28", "versionType": "git"}, {"status": "affected", "version": "f5ca233e2e66", "lessThan": "9034c87d61be", "versionType": "git"}, {"status": "affected", "version": "f5ca233e2e66", "lessThan": "bb32500fb9b7", "versionType": "git"}], "programFiles": ["include/linux/trace_events.h", "kernel/trace/trace.c", "kernel/trace/trace.h", "kernel/trace/trace_events.c", "kernel/trace/trace_events_filter.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.6"}, {"status": "unaffected", "version": "0", "lessThan": "6.6", "versionType": "custom"}, {"status": "unaffected", "version": "5.4.262", "versionType": "custom", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.202", "versionType": "custom", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.140", "versionType": "custom", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.64", "versionType": "custom", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.5.13", "versionType": "custom", "lessThanOrEqual": "6.5.*"}, {"status": "unaffected", "version": "6.6.1", "versionType": "custom", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["include/linux/trace_events.h", "kernel/trace/trace.c", "kernel/trace/trace.h", "kernel/trace/trace_events.c", "kernel/trace/trace_events_filter.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e"}, {"url": "https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f"}, {"url": "https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0"}, {"url": "https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976"}, {"url": "https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706"}, {"url": "https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d"}, {"url": "https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4"}], "x_generator": {"engine": "bippy-a5840b7849dd"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Have trace_event_file have ref counters\n\nThe following can crash the kernel:\n\n # cd /sys/kernel/tracing\n # echo 'p:sched schedule' > kprobe_events\n # exec 5>>events/kprobes/sched/enable\n # > kprobe_events\n # exec 5>&-\n\nThe above commands:\n\n 1. Change directory to the tracefs directory\n 2. Create a kprobe event (doesn't matter what one)\n 3. Open bash file descriptor 5 on the enable file of the kprobe event\n 4. Delete the kprobe event (removes the files too)\n 5. Close the bash file descriptor 5\n\nThe above causes a crash!\n\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n RIP: 0010:tracing_release_file_tr+0xc/0x50\n\nWhat happens here is that the kprobe event creates a trace_event_file\n\"file\" descriptor that represents the file in tracefs to the event. It\nmaintains state of the event (is it enabled for the given instance?).\nOpening the \"enable\" file gets a reference to the event \"file\" descriptor\nvia the open file descriptor. When the kprobe event is deleted, the file is\nalso deleted from the tracefs system which also frees the event \"file\"\ndescriptor.\n\nBut as the tracefs file is still opened by user space, it will not be\ntotally removed until the final dput() is called on it. But this is not\ntrue with the event \"file\" descriptor that is already freed. If the user\ndoes a write to or simply closes the file descriptor it will reference the\nevent \"file\" descriptor that was just freed, causing a use-after-free bug.\n\nTo solve this, add a ref count to the event \"file\" descriptor as well as a\nnew flag called \"FREED\". The \"file\" will not be freed until the last\nreference is released. But the FREE flag will be set when the event is\nremoved to prevent any more modifications to that event from happening,\neven if there's still a reference to the event \"file\" descriptor."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-29T05:18:57.020Z"}}}, "cveMetadata": {"cveId": "CVE-2023-52879", "state": "PUBLISHED", "dateUpdated": "2024-08-02T23:18:41.182Z", "dateReserved": "2024-05-21T15:19:24.265Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-21T15:32:11.263Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Have trace_event_file have ref counters\n\nThe following can crash the kernel:\n\n # cd /sys/kernel/tracing\n # echo 'p:sched schedule' > kprobe_events\n # exec 5>>events/kprobes/sched/enable\n # > kprobe_events\n # exec 5>&-\n\nThe above commands:\n\n 1. Change directory to the tracefs directory\n 2. Create a kprobe event (doesn't matter what one)\n 3. Open bash file descriptor 5 on the enable file of the kprobe event\n 4. Delete the kprobe event (removes the files too)\n 5. Close the bash file descriptor 5\n\nThe above causes a crash!\n\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n RIP: 0010:tracing_release_file_tr+0xc/0x50\n\nWhat happens here is that the kprobe event creates a trace_event_file\n\"file\" descriptor that represents the file in tracefs to the event. It\nmaintains state of the event (is it enabled for the given instance?).\nOpening the \"enable\" file gets a reference to the event \"file\" descriptor\nvia the open file descriptor. When the kprobe event is deleted, the file is\nalso deleted from the tracefs system which also frees the event \"file\"\ndescriptor.\n\nBut as the tracefs file is still opened by user space, it will not be\ntotally removed until the final dput() is called on it. But this is not\ntrue with the event \"file\" descriptor that is already freed. If the user\ndoes a write to or simply closes the file descriptor it will reference the\nevent \"file\" descriptor that was just freed, causing a use-after-free bug.\n\nTo solve this, add a ref count to the event \"file\" descriptor as well as a\nnew flag called \"FREED\". The \"file\" will not be freed until the last\nreference is released. But the FREE flag will be set when the event is\nremoved to prevent any more modifications to that event from happening,\neven if there's still a reference to the event \"file\" descriptor."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rastreo: Tener trace_event_file tiene contadores de referencia. Lo siguiente puede bloquear el kernel: # cd /sys/kernel/tracing # echo 'p:sched Schedule' > kprobe_events # exec 5>>events /kprobes/sched/enable # > kprobe_events # exec 5>&- Los comandos anteriores: 1. Cambie el directorio al directorio tracefs 2. Cree un evento kprobe (no importa cu\u00e1l) 3. Abra el descriptor de archivo bash 5 en el habilitar el archivo del evento kprobe 4. Eliminar el evento kprobe (tambi\u00e9n elimina los archivos) 5. Cerrar el descriptor del archivo bash 5 \u00a1Lo anterior provoca un bloqueo! BUG: desreferencia del puntero NULL del kernel, direcci\u00f3n: 0000000000000028 #PF: acceso de lectura del supervisor en modo kernel #PF: c\u00f3digo_error(0x0000) - p\u00e1gina no presente PGD 0 P4D 0 Ups: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186 Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01 /2014 RIP: 0010:tracing_release_file_tr+0xc/0x50. Lo que sucede aqu\u00ed es que el evento kprobe crea un descriptor de \"archivo\" trace_event_file que representa el archivo en tracefs hasta el evento. Mantiene el estado del evento (\u00bfest\u00e1 habilitado para la instancia dada?). Al abrir el archivo \"habilitar\" se obtiene una referencia al descriptor de \"archivo\" del evento a trav\u00e9s del descriptor de archivo abierto. Cuando se elimina el evento kprobe, el archivo tambi\u00e9n se elimina del sistema tracefs, lo que tambi\u00e9n libera el descriptor de \"archivo\" del evento. Pero como el espacio del usuario todav\u00eda abre el archivo tracefs, no se eliminar\u00e1 por completo hasta que se llame al dput() final. Pero esto no es cierto con el descriptor de \"archivo\" de evento que ya est\u00e1 liberado. Si el usuario escribe o simplemente cierra el descriptor de archivo, har\u00e1 referencia al descriptor de \"archivo\" del evento que acaba de liberarse, lo que provocar\u00e1 un error de uso despu\u00e9s de la liberaci\u00f3n. Para resolver esto, agregue un recuento de referencias al descriptor de \"archivo\" del evento, as\u00ed como una nueva bandera llamada \"FREED\". El \"archivo\" no se liberar\u00e1 hasta que se publique la \u00faltima referencia. Pero el indicador FREE se establecer\u00e1 cuando se elimine el evento para evitar que se realicen m\u00e1s modificaciones en ese evento, incluso si todav\u00eda hay una referencia al descriptor de \"archivo\" del evento."}], "id": "CVE-2023-52879", "lastModified": "2024-05-21T16:53:56.550", "metrics": {}, "published": "2024-05-21T16:15:24.530", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: tracing: Have trace_event_file have ref counters", "id": "2282730", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2282730"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-395", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ntracing: Have trace_event_file have ref counters\nThe following can crash the kernel:\n# cd /sys/kernel/tracing\n# echo 'p:sched schedule' > kprobe_events\n# exec 5>>events/kprobes/sched/enable\n# > kprobe_events\n# exec 5>&-\nThe above commands:\n1. Change directory to the tracefs directory\n2. Create a kprobe event (doesn't matter what one)\n3. Open bash file descriptor 5 on the enable file of the kprobe event\n4. Delete the kprobe event (removes the files too)\n5. Close the bash file descriptor 5\nThe above causes a crash!\nBUG: kernel NULL pointer dereference, address: 0000000000000028\n#PF: supervisor read access in kernel mode\n#PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:tracing_release_file_tr+0xc/0x50\nWhat happens here is that the kprobe event creates a trace_event_file\n\"file\" descriptor that represents the file in tracefs to the event. It\nmaintains state of the event (is it enabled for the given instance?).\nOpening the \"enable\" file gets a reference to the event \"file\" descriptor\nvia the open file descriptor. When the kprobe event is deleted, the file is\nalso deleted from the tracefs system which also frees the event \"file\"\ndescriptor.\nBut as the tracefs file is still opened by user space, it will not be\ntotally removed until the final dput() is called on it. But this is not\ntrue with the event \"file\" descriptor that is already freed. If the user\ndoes a write to or simply closes the file descriptor it will reference the\nevent \"file\" descriptor that was just freed, causing a use-after-free bug.\nTo solve this, add a ref count to the event \"file\" descriptor as well as a\nnew flag called \"FREED\". The \"file\" will not be freed until the last\nreference is released. But the FREE flag will be set when the event is\nremoved to prevent any more modifications to that event from happening,\neven if there's still a reference to the event \"file\" descriptor."], "name": "CVE-2023-52879", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-52879\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52879\nhttps://lore.kernel.org/linux-cve-announce/2024052122-CVE-2023-52879-fa4d@gregkh/T"], "threat_severity": "Low", "upstream_fix": "kernel 5.4.262, kernel 5.10.202, kernel 5.15.140, kernel 6.1.64, kernel 6.5.13, kernel 6.6.1, kernel 6.7"}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object