FKIE_CVE-2023-52506

Vulnerability from fkie_nvd - Published: 2024-03-02 22:15 - Updated: 2025-01-13 18:49
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: LoongArch: Set all reserved memblocks on Node#0 at initialization After commit 61167ad5fecdea ("mm: pass nid to reserve_bootmem_region()") we get a panic if DEFERRED_STRUCT_PAGE_INIT is enabled: [ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000000000002b82, era == 90000000040e3f28, ra == 90000000040e3f18 [ 0.000000] Oops[#1]: [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.5.0+ #733 [ 0.000000] pc 90000000040e3f28 ra 90000000040e3f18 tp 90000000046f4000 sp 90000000046f7c90 [ 0.000000] a0 0000000000000001 a1 0000000000200000 a2 0000000000000040 a3 90000000046f7ca0 [ 0.000000] a4 90000000046f7ca4 a5 0000000000000000 a6 90000000046f7c38 a7 0000000000000000 [ 0.000000] t0 0000000000000002 t1 9000000004b00ac8 t2 90000000040e3f18 t3 90000000040f0800 [ 0.000000] t4 00000000000f0000 t5 80000000ffffe07e t6 0000000000000003 t7 900000047fff5e20 [ 0.000000] t8 aaaaaaaaaaaaaaab u0 0000000000000018 s9 0000000000000000 s0 fffffefffe000000 [ 0.000000] s1 0000000000000000 s2 0000000000000080 s3 0000000000000040 s4 0000000000000000 [ 0.000000] s5 0000000000000000 s6 fffffefffe000000 s7 900000000470b740 s8 9000000004ad4000 [ 0.000000] ra: 90000000040e3f18 reserve_bootmem_region+0xec/0x21c [ 0.000000] ERA: 90000000040e3f28 reserve_bootmem_region+0xfc/0x21c [ 0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) [ 0.000000] PRMD: 00000000 (PPLV0 -PIE -PWE) [ 0.000000] EUEN: 00000000 (-FPE -SXE -ASXE -BTE) [ 0.000000] ECFG: 00070800 (LIE=11 VS=7) [ 0.000000] ESTAT: 00010800 [PIL] (IS=11 ECode=1 EsubCode=0) [ 0.000000] BADV: 0000000000002b82 [ 0.000000] PRID: 0014d000 (Loongson-64bit, Loongson-3A6000) [ 0.000000] Modules linked in: [ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____)) [ 0.000000] Stack : 0000000000000000 9000000002eb5430 0000003a00000020 90000000045ccd00 [ 0.000000] 900000000470e000 90000000002c1918 0000000000000000 9000000004110780 [ 0.000000] 00000000fe6c0000 0000000480000000 9000000004b4e368 9000000004110748 [ 0.000000] 0000000000000000 900000000421ca84 9000000004620000 9000000004564970 [ 0.000000] 90000000046f7d78 9000000002cc9f70 90000000002c1918 900000000470e000 [ 0.000000] 9000000004564970 90000000040bc0e0 90000000046f7d78 0000000000000000 [ 0.000000] 0000000000004000 90000000045ccd00 0000000000000000 90000000002c1918 [ 0.000000] 90000000002c1900 900000000470b700 9000000004b4df78 9000000004620000 [ 0.000000] 90000000046200a8 90000000046200a8 0000000000000000 9000000004218b2c [ 0.000000] 9000000004270008 0000000000000001 0000000000000000 90000000045ccd00 [ 0.000000] ... [ 0.000000] Call Trace: [ 0.000000] [<90000000040e3f28>] reserve_bootmem_region+0xfc/0x21c [ 0.000000] [<900000000421ca84>] memblock_free_all+0x114/0x350 [ 0.000000] [<9000000004218b2c>] mm_core_init+0x138/0x3cc [ 0.000000] [<9000000004200e38>] start_kernel+0x488/0x7a4 [ 0.000000] [<90000000040df0d8>] kernel_entry+0xd8/0xdc [ 0.000000] [ 0.000000] Code: 02eb21ad 00410f4c 380c31ac <262b818d> 6800b70d 02c1c196 0015001c 57fe4bb1 260002cd The reason is early memblock_reserve() in memblock_init() set node id to MAX_NUMNODES, making NODE_DATA(nid) a NULL dereference in the call chain reserve_bootmem_region() -> init_reserved_page(). After memblock_init(), those late calls of memblock_reserve() operate on subregions of memblock .memory regions. As a result, these reserved regions will be set to the correct node at the first iteration of memmap_init_reserved_pages(). So set all reserved memblocks on Node#0 at initialization can avoid this panic.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/19878758accf6b2788091a771d9f9fee7bab11abPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b795fb9f5861ee256070d59e33130980a01fadd7Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f105e893a8edd48bdf4bef9fef845a9ff402f737Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/19878758accf6b2788091a771d9f9fee7bab11abPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/b795fb9f5861ee256070d59e33130980a01fadd7Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/f105e893a8edd48bdf4bef9fef845a9ff402f737Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 6.6
linux linux_kernel 6.6
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9889AA5E-5419-4E5A-8A95-FB5F9494E850",
              "versionEndExcluding": "6.1.56",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "870FC772-173A-4A0F-B1AF-7976AD6057D3",
              "versionEndExcluding": "6.5.6",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "84267A4F-DBC2-444F-B41D-69E15E1BEC97",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "FB440208-241C-4246-9A83-C1715C0DAA6C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Set all reserved memblocks on Node#0 at initialization\n\nAfter commit 61167ad5fecdea (\"mm: pass nid to reserve_bootmem_region()\")\nwe get a panic if DEFERRED_STRUCT_PAGE_INIT is enabled:\n\n[    0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000000000002b82, era == 90000000040e3f28, ra == 90000000040e3f18\n[    0.000000] Oops[#1]:\n[    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.5.0+ #733\n[    0.000000] pc 90000000040e3f28 ra 90000000040e3f18 tp 90000000046f4000 sp 90000000046f7c90\n[    0.000000] a0 0000000000000001 a1 0000000000200000 a2 0000000000000040 a3 90000000046f7ca0\n[    0.000000] a4 90000000046f7ca4 a5 0000000000000000 a6 90000000046f7c38 a7 0000000000000000\n[    0.000000] t0 0000000000000002 t1 9000000004b00ac8 t2 90000000040e3f18 t3 90000000040f0800\n[    0.000000] t4 00000000000f0000 t5 80000000ffffe07e t6 0000000000000003 t7 900000047fff5e20\n[    0.000000] t8 aaaaaaaaaaaaaaab u0 0000000000000018 s9 0000000000000000 s0 fffffefffe000000\n[    0.000000] s1 0000000000000000 s2 0000000000000080 s3 0000000000000040 s4 0000000000000000\n[    0.000000] s5 0000000000000000 s6 fffffefffe000000 s7 900000000470b740 s8 9000000004ad4000\n[    0.000000]    ra: 90000000040e3f18 reserve_bootmem_region+0xec/0x21c\n[    0.000000]   ERA: 90000000040e3f28 reserve_bootmem_region+0xfc/0x21c\n[    0.000000]  CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n[    0.000000]  PRMD: 00000000 (PPLV0 -PIE -PWE)\n[    0.000000]  EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n[    0.000000]  ECFG: 00070800 (LIE=11 VS=7)\n[    0.000000] ESTAT: 00010800 [PIL] (IS=11 ECode=1 EsubCode=0)\n[    0.000000]  BADV: 0000000000002b82\n[    0.000000]  PRID: 0014d000 (Loongson-64bit, Loongson-3A6000)\n[    0.000000] Modules linked in:\n[    0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____))\n[    0.000000] Stack : 0000000000000000 9000000002eb5430 0000003a00000020 90000000045ccd00\n[    0.000000]         900000000470e000 90000000002c1918 0000000000000000 9000000004110780\n[    0.000000]         00000000fe6c0000 0000000480000000 9000000004b4e368 9000000004110748\n[    0.000000]         0000000000000000 900000000421ca84 9000000004620000 9000000004564970\n[    0.000000]         90000000046f7d78 9000000002cc9f70 90000000002c1918 900000000470e000\n[    0.000000]         9000000004564970 90000000040bc0e0 90000000046f7d78 0000000000000000\n[    0.000000]         0000000000004000 90000000045ccd00 0000000000000000 90000000002c1918\n[    0.000000]         90000000002c1900 900000000470b700 9000000004b4df78 9000000004620000\n[    0.000000]         90000000046200a8 90000000046200a8 0000000000000000 9000000004218b2c\n[    0.000000]         9000000004270008 0000000000000001 0000000000000000 90000000045ccd00\n[    0.000000]         ...\n[    0.000000] Call Trace:\n[    0.000000] [\u003c90000000040e3f28\u003e] reserve_bootmem_region+0xfc/0x21c\n[    0.000000] [\u003c900000000421ca84\u003e] memblock_free_all+0x114/0x350\n[    0.000000] [\u003c9000000004218b2c\u003e] mm_core_init+0x138/0x3cc\n[    0.000000] [\u003c9000000004200e38\u003e] start_kernel+0x488/0x7a4\n[    0.000000] [\u003c90000000040df0d8\u003e] kernel_entry+0xd8/0xdc\n[    0.000000]\n[    0.000000] Code: 02eb21ad  00410f4c  380c31ac \u003c262b818d\u003e 6800b70d  02c1c196  0015001c  57fe4bb1  260002cd\n\nThe reason is early memblock_reserve() in memblock_init() set node id to\nMAX_NUMNODES, making NODE_DATA(nid) a NULL dereference in the call chain\nreserve_bootmem_region() -\u003e init_reserved_page(). After memblock_init(),\nthose late calls of memblock_reserve() operate on subregions of memblock\n.memory regions. As a result, these reserved regions will be set to the\ncorrect node at the first iteration of memmap_init_reserved_pages().\n\nSo set all reserved memblocks on Node#0 at initialization can avoid this\npanic."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: LoongArch: establece todos los bloques de memoria reservados en el nodo n.\u00ba 0 durante la inicializaci\u00f3n. Despu\u00e9s de el commit 61167ad5fecdea (\"mm: pasa nid a reserve_bootmem_region()\"), entra en p\u00e1nico si DEFERRED_STRUCT_PAGE_INIT est\u00e1 habilitado: [0.000000 ] CPU 0 No se puede manejar la solicitud de paginaci\u00f3n del kernel en la direcci\u00f3n virtual 0000000000002b82, era == 90000000040e3f28, ra == 90000000040e3f18 [ 0.000000] Ups[#1]: [ 0.000000] CPU: 0 PID: 0 Comm: swapper No contaminado 6 .5.0+ #733 [ 0.000000] pc 90000000040e3f28 ra 90000000040e3f18 tp 90000000046f4000 sp 90000000046f7c90 [ 0.000000] a0 0000000000000001 a1 000 0000000200000 a2 0000000000000040 a3 90000000046f7ca0 [ 0.000000] a4 90000000046f7ca4 a5 00000000000000000 a6 90000000046f7c38 a7 00000 00000000000 [ 0,000000] t0 0000000000000002 t1 9000000004b00ac8 t2 90000000040e3f18 t3 90000000040f0800 [ 0,000000] t4 00000000000f0000 t5 80000000ffffe07e t6 0000000000000003 t7 900000047fff5e20 [ 0.000000] t8 aaaaaaaaaaaaaaab u0 0000000000000018 s9 000 0000000000000 s0 fffffffe000000 [ 0.000000] s1 0000000000000000 s2 0000000000000080 s3 00000000000000040 s4 0000000000000000 [ 0.000 000] s5 0000000000000000 s6 fffffffe000000 s7 900000000470b740 s8 9000000004ad4000 [ 0.000000] ra: 90000000040e3f18 reserve_bootmem_region+0xec/ 0x21c [0.000000] ERA: 90000000040e3f28 reserve_bootmem_region+0xfc/0x21c [0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) [ 0.000000] PRMD: 00000000 ( PPLV0 -PIE -PWE) [ 0,000000 ] EUEN: 00000000 (-FPE -SXE -ASXE -BTE) [ 0.000000] ECFG: 00070800 (LIE=11 VS=7) [ 0.000000] ESTAT: 00010800 [PIL] (IS=11 ECode=1 EssubCode=0) [ 0.000000 ] BADV: 0000000000002b82 [ 0.000000] PRID: 0014d000 (Loongson-64bit, Loongson-3A6000) [ 0.000000] M\u00f3dulos vinculados en: [ 0.000000] Intercambiador de procesos (pid: 0, threadinfo=(____ptrval____), tarea=(____ptrval____ )) [ 0,000000 ] Pila: 0000000000000000 9000000002eb5430 0000003a00000020 90000000045ccd00 [0.000000] 900000000470e000 90000000002c1918 00000000 00000000 9000000004110780 [ 0.000000] 00000000fe6c0000 0000000480000000 9000000004b4e368 9000000004110748 [ 0.000000] 0000000000 000000 900000000421ca84 9000000004620000 9000000004564970 [ 0.000000] 90000000046f7d78 9000000002cc9f70 90000000002c1918 9000000 00470e000 [ 0.000000] 9000000004564970 90000000040bc0e0 90000000046f7d78 00000000000000000 [ 0.000000] 0000000000004000 900000000 45ccd00 0000000000000000 90000000002c1918 [ 0,000000] 90000000002c1900 900000000470b700 9000000004b4df78 9000000004620000 [ 0,000000] 90000000046200a8 90000000046200a8 [ 0.000000] Seguimiento de llamadas: [ 0.000000] [\u0026lt;90000000040e3f28\u0026gt;] reserve_bootmem_region+0xfc/0x21c [ 0.000000] [\u0026lt; 900000000421ca84\u0026gt;] memblock_free_all+0x114/0x350 [ 0.000000] [\u0026lt;9000000004218b2c\u0026gt;] mm_core_init+0x138/0x3cc [ 0.000000] [\u0026lt;9000000004200e38\u0026gt;] start_kernel+0x4 88/0x7a4 [ 0.000000] [\u0026lt;90000000040df0d8\u0026gt;] kernel_entry+0xd8/0xdc [ 0.000000] [0.000000] C\u00f3digo: 02eb21ad 00410f4c 380c31ac \u0026lt;262b818d\u0026gt; 6800b70d 02c1c196 0015001c 57fe4bb1 260002cd El motivo es que memblock_reserve() en memblock_init() estableci\u00f3 la identificaci\u00f3n del nodo en MAX_NUMNODES, haciendo NODE_ DATA(nid) una desreferencia NULL en la cadena de llamadas reserve_bootmem_region() -\u0026gt; init_reserved_page(). Despu\u00e9s de memblock_init(), esas llamadas tard\u00edas de memblock_reserve() operan en subregiones de regiones memblock .memory. Como resultado, estas regiones reservadas se establecer\u00e1n en el nodo correcto en la primera iteraci\u00f3n de memmap_init_reserved_pages(). Por lo tanto, configurar todos los bloques de memoria reservados en el Nodo 0 durante la inicializaci\u00f3n puede evitar este p\u00e1nico."
    }
  ],
  "id": "CVE-2023-52506",
  "lastModified": "2025-01-13T18:49:25.347",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-03-02T22:15:47.390",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/19878758accf6b2788091a771d9f9fee7bab11ab"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/b795fb9f5861ee256070d59e33130980a01fadd7"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/f105e893a8edd48bdf4bef9fef845a9ff402f737"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/19878758accf6b2788091a771d9f9fee7bab11ab"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/b795fb9f5861ee256070d59e33130980a01fadd7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/f105e893a8edd48bdf4bef9fef845a9ff402f737"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.