CVE-2023-52490

一、漏洞信息
 漏洞编号：[CVE-2023-52490](https://nvd.nist.gov/vuln/detail/CVE-2023-52490)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.19,6.4.0
 CVSS V3.0分值：
  BaseScore：0.0 None
  Vector：CVSS：3.0/
 漏洞简述：
  A vulnerability was found in Linux Kernel up to 6.6.14/6.7.2 (Operating System). It has been declared as critical.The CWE definition for the vulnerability is CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.As an impact it is known to affect availability.Upgrading to version 6.6.15, 6.7.3 or 6.8-rc1 eliminates this vulnerability. Applying the patch 9128bfbc5c80/3889a418b6eb/d1adb25df711 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
 漏洞公开时间：2024-02-20 00:00:00
 漏洞创建时间：2024-03-11 19:17:10
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2023-52490
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
|  | https://git.kernel.org/stable/c/3889a418b6eb9a1113fb989aaadecf2f64964767 |  |
|  | https://git.kernel.org/stable/c/9128bfbc5c80d8f4874dd0a0424d1f5fb010df1b |  |
|  | https://git.kernel.org/stable/c/d1adb25df7111de83b64655a80b5a135adbded61 |  |
|  | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52490 |  |
|  | https://git.kernel.org/linus/d1adb25df7111de83b64655a80b5a135adbded61 |  |
|  | https://www.cve.org/CVERecord?id=CVE-2023-52490 |  |
|  | https://ubuntu.com/security/notices/USN-6765-1 |  |
|  | https://ubuntu.com/security/notices/USN-6818-1 |  |
|  | https://ubuntu.com/security/notices/USN-6819-1 |  |
|  | https://ubuntu.com/security/notices/USN-6818-2 |  |
|  | https://ubuntu.com/security/notices/USN-6819-2 |  |
|  | https://ubuntu.com/security/notices/USN-6819-3 |  |
|  | https://ubuntu.com/security/notices/USN-6818-3 |  |
|  | https://ubuntu.com/security/notices/USN-6818-4 |  |
|  | https://ubuntu.com/security/notices/USN-6819-4 |  |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

无
</details>

二、漏洞分析结构反馈
 影响性分析说明：
    In the Linux kernel, the following vulnerability has been resolved:mm: migrate: fix getting incorrect page mapping during page migrationWhen running stress-ng testing, we found below kernel crash after a few hours:Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000pc : dentry_name+0xd8/0x224lr : pointer+0x22c/0x370sp : ffff800025f134c0......Call trace:  dentry_name+0xd8/0x224  pointer+0x22c/0x370  vsnprintf+0x1ec/0x730  vscnprintf+0x2c/0x60  vprintk_store+0x70/0x234  vprintk_emit+0xe0/0x24c  vprintk_default+0x3c/0x44  vprintk_func+0x84/0x2d0  printk+0x64/0x88  __dump_page+0x52c/0x530  dump_page+0x14/0x20  set_migratetype_isolate+0x110/0x224  start_isolate_page_range+0xc4/0x20c  offline_pages+0x124/0x474  memory_block_offline+0x44/0xf4  memory_subsys_offline+0x3c/0x70  device_offline+0xf0/0x120  ......After analyzing the vmcore, I found this issue is caused by page migration.The scenario is that, one thread is doing page migration, and we will use thetarget page s ->mapping field to save  anon_vma  pointer between page unmap andpage move, and now the target page is locked and refcount is 1.Currently, there is another stress-ng thread performing memory hotplug,attempting to offline the target page that is being migrated. It discovers thatthe refcount of this target page is 1, preventing the offline operation, thusproceeding to dump the page. However, page_mapping() of the target page mayreturn an incorrect file mapping to crash the system in dump_mapping(), sincethe target page->mapping only saves  anon_vma  pointer without settingPAGE_MAPPING_ANON flag.There are seveval ways to fix this issue:(1) Setting the PAGE_MAPPING_ANON flag for target page s ->mapping when saving anon_vma , but this can confuse PageAnon() for PFN walkers, since the targetpage has not built mappings yet.(2) Getting the page lock to call page_mapping() in __dump_page() to avoid crashingthe system, however, there are still some PFN walkers that call page_mapping()without holding the page lock, such as compaction.(3) Using target page->private field to save the  anon_vma  pointer and 2 bitspage state, just as page->mapping records an anonymous page, which can removethe page_mapping() impact for PFN walkers and also seems a simple way.So I choose option 3 to fix this issue, and this can also fix other potentialissues for PFN walkers, such as compaction. 
 openEuler评分：
  5.5
 Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
 受影响版本排查(受影响/不受影响)：
  1.openEuler-20.03-LTS-SP1:不受影响
2.openEuler-20.03-LTS-SP4:不受影响
3.openEuler-22.03-LTS:不受影响
4.openEuler-22.03-LTS-SP1:不受影响
5.openEuler-22.03-LTS-SP2:不受影响
6.openEuler-22.03-LTS-SP3:不受影响
7.master:不受影响
8.openEuler-22.03-LTS-Next:不受影响
9.openEuler-24.03-LTS:不受影响
10.openEuler-24.03-LTS-Next:不受影响

修复是否涉及abi变化(是/否)：
  1.openEuler-20.03-LTS-SP1:否
2.openEuler-20.03-LTS-SP4:否
3.openEuler-22.03-LTS:否
4.openEuler-22.03-LTS-SP1:否
5.openEuler-22.03-LTS-SP2:否
6.openEuler-22.03-LTS-SP3:否
7.master:否
8.openEuler-22.03-LTS-Next:否
9.openEuler-24.03-LTS:否
10.openEuler-24.03-LTS-Next:否

原因说明：
  1.master:
2.openEuler-20.03-LTS-SP4:
3.openEuler-22.03-LTS-SP1:
4.openEuler-22.03-LTS-SP3:
5.openEuler-22.03-LTS-SP4:
6.openEuler-24.03-LTS:
7.openEuler-24.03-LTS-Next:
8.openEuler-24.03-LTS-SP1:

src-openEuler/kernel
关闭

内容风险标识

评论 (8)

src-openEuler/kernel关闭 .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2023-52490

评论 (8)

搜索帮助

src-openEuler/kernel
关闭