In the Linux kernel, the following vulnerability has been resolved: module: Fix kernel panic when a symbol st_shndx is out of bounds The module loader doesn't check for bounds of the ELF section index in simplify_symbols(): for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) { const char *name = info->strtab + sym[i].st_name; switch (sym[i].st_shndx) { case SHN_COMMON: [...] default: /* Divert to percpu allocation if a percpu var. */ if (sym[i].st_shndx == info->index.pcpu) secbase = (unsigned long)mod_percpu(mod); else /** HERE --> **/ secbase = info->sechdrs[sym[i].st_shndx].sh_addr; sym[i].st_value += secbase; break; } } A symbol with an out-of-bounds st_shndx value, for example 0xffff (known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic: BUG: unable to handle page fault for address: ... RIP: 0010:simplify_symbols+0x2b2/0x480 ... Kernel panic - not syncing: Fatal exception This can happen when module ELF is legitimately using SHN_XINDEX or when it is corrupted. Add a bounds check in simplify_symbols() to validate that st_shndx is within the valid range before using it. This issue was discovered due to a bug in llvm-objcopy, see relevant discussion for details [1]. [1] https://lore.kernel.org/linux-modules/[email protected]/
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-787
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd6ad200> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd6afc00> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd494d00> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd6aee80> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdcdbe400> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdcdbf3c0> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x702bcbd3aa80> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x702b829a4500> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x702ba6a9c740> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x702bdcdbc080> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x702b501676c0> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702b50167d00> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702b50174240> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* |