In the Linux kernel, the following vulnerability has been resolved: ipc: fix to protect IPCS lookups using RCU syzbot reported that it discovered a use-after-free vulnerability, [0] [0]: https://lore.kernel.org/all/[email protected]/ idr_for_each() is protected by rwsem, but this is not enough. If it is not protected by RCU read-critical region, when idr_for_each() calls radix_tree_node_free() through call_rcu() to free the radix_tree_node structure, the node will be freed immediately, and when reading the next node in radix_tree_for_each_slot(), the already freed memory may be read. Therefore, we need to add code to make sure that idr_for_each() is protected within the RCU read-critical region when we call it in shm_destroy_orphaned().
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ipc: corrección para proteger las búsquedas IPCS mediante RCU. syzbot informó del descubrimiento de una vulnerabilidad de use-after-free, [0] [0]: https://lore.kernel.org/all/[email protected]/ idr_for_each() está protegido por rwsem, pero esto no es suficiente. Si no está protegido por la región crítica de lectura de RCU, cuando idr_for_each() llama a radix_tree_node_free() mediante call_rcu() para liberar la estructura radix_tree_node, el nodo se liberará inmediatamente y, al leer el siguiente nodo en radix_tree_for_each_slot(), se podrá leer la memoria ya liberada. Por lo tanto, necesitamos agregar código para asegurarnos de que idr_for_each() esté protegido dentro de la región crítica de lectura de RCU cuando lo llamamos en shm_destroy_orphaned().
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-416
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b801c3c80> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd7f9100> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd7fb440> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b801c18c0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b801c0740> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdc5c4cc0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd7f9ec0> | Operating System |
| debian | debian_linux | 11.0 | <built-in method update of dict object at 0x702bdd7fa780> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |