CVE-2024-53130

{"id": "CVE-2024-53130", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-12-04T15:15:12.927", "references": [{"url": "https://git.kernel.org/stable/c/0a5014ad37c77ac6a2c525137c00a0e1724f6020", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/0ce59fb1c73fdd5b6028226aeb46259a0cdc0957", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2026559a6c4ce34db117d2db8f710fe2a9420d5a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7af3309c7a2ef26831a67125b11c34a7e01c1b2a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/86b19031dbc79abc378dfae357f6ea33ebeb0c95", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b0e4765740040c44039282057ecacd7435d1d2ba", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d904e4d845aafbcfd8a40c1df7d999f02f062be8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ffc440a76a0f476a7e6ea838ec0dc8e9979944d1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint\n\nWhen using the \"block:block_dirty_buffer\" tracepoint, mark_buffer_dirty()\nmay cause a NULL pointer dereference, or a general protection fault when\nKASAN is enabled.\n\nThis happens because, since the tracepoint was added in\nmark_buffer_dirty(), it references the dev_t member bh->b_bdev->bd_dev\nregardless of whether the buffer head has a pointer to a block_device\nstructure.\n\nIn the current implementation, nilfs_grab_buffer(), which grabs a buffer\nto read (or create) a block of metadata, including b-tree node blocks,\ndoes not set the block device, but instead does so only if the buffer is\nnot in the \"uptodate\" state for each of its caller block reading\nfunctions. However, if the uptodate flag is set on a folio/page, and the\nbuffer heads are detached from it by try_to_free_buffers(), and new buffer\nheads are then attached by create_empty_buffers(), the uptodate flag may\nbe restored to each buffer without the block device being set to\nbh->b_bdev, and mark_buffer_dirty() may be called later in that state,\nresulting in the bug mentioned above.\n\nFix this issue by making nilfs_grab_buffer() always set the block device\nof the super block structure to the buffer head, regardless of the state\nof the buffer's uptodate flag."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nilfs2: correcci\u00f3n de null-ptr-deref en el punto de seguimiento block_dirty_buffer Al utilizar el punto de seguimiento \"block:block_dirty_buffer\", mark_buffer_dirty() puede provocar una desreferencia de puntero NULL o un fallo de protecci\u00f3n general cuando KASAN est\u00e1 habilitado. Esto sucede porque, dado que el punto de seguimiento se agreg\u00f3 en mark_buffer_dirty(), hace referencia al miembro dev_t bh->b_bdev->bd_dev independientemente de si el cabezal del b\u00fafer tiene un puntero a una estructura block_device. En la implementaci\u00f3n actual, nilfs_grab_buffer(), que toma un b\u00fafer para leer (o crear) un bloque de metadatos, incluidos los bloques de nodos de \u00e1rbol b, no establece el dispositivo de bloque, sino que lo hace solo si el b\u00fafer no est\u00e1 en el estado \"uptodate\" para cada una de sus funciones de lectura de bloque de llamada. Sin embargo, si el indicador uptodate est\u00e1 configurado en un folio/p\u00e1gina, y los cabezales de b\u00fafer se separan de \u00e9l mediante try_to_free_buffers(), y luego se adjuntan nuevos cabezales de b\u00fafer mediante create_empty_buffers(), el indicador uptodate puede restaurarse en cada b\u00fafer sin que el dispositivo de bloque se configure en bh->b_bdev, y mark_buffer_dirty() puede llamarse m\u00e1s tarde en ese estado, lo que da como resultado el error mencionado anteriormente. Solucione este problema haciendo que nilfs_grab_buffer() siempre configure el dispositivo de bloque de la estructura de superbloque en el cabezal de b\u00fafer, independientemente del estado del indicador uptodate del b\u00fafer."}], "lastModified": "2024-12-14T21:15:37.100", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9F07E74-2989-4705-AED1-FEACA2FEF716", "versionEndExcluding": "6.1.119", "versionStartIncluding": "3.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DC8AE946-6593-4D8D-863A-0BC137CF667F", "versionEndExcluding": "6.6.63", "versionStartIncluding": "6.6.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D7D3F96-FD78-48BB-9935-3CD41775FEAA", "versionEndExcluding": "6.11.10", "versionStartIncluding": "6.11.0"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}