The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsThere is no fixed version for RHEL:9
kernel-debug-modules-internal
.
Note: Versions mentioned in the description apply only to the upstream kernel-debug-modules-internal
package and not the kernel-debug-modules-internal
package as distributed by RHEL
.
See How to fix?
for RHEL:9
relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
uprobe: avoid out-of-bounds memory access of fetching args
Uprobe needs to fetch args into a percpu buffer, and then copy to ring buffer to avoid non-atomic context problem.
Sometimes user-space strings, arrays can be very large, but the size of percpu buffer is only page size. And store_trace_args() won't check whether these data exceeds a single page or not, caused out-of-bounds memory access.
It could be reproduced by following steps:
\#include <stdio.h> \#include <stdlib.h> \#include <string.h>
// If string length large than MAX_STRING_SIZE, the fetch_store_strlen() // will return 0, cause __get_data_size() return shorter size, and // store_trace_args() will not trigger out-of-bounds access. // So make string length less than 4096. #define STRLEN 4093
void generate_string(char *str, int n) { int i; for (i = 0; i < n; ++i) { char c = i % 26 + 'a'; str[i] = c; } str[n-1] = '\0'; }
void print_string(char *str) { printf("%s\n", str); }
int main() { char tmp[STRLEN];
generate_string(tmp, STRLEN); print_string(tmp); return 0;
}
compile program
gcc -o test test.c
get the offset of print_string()
objdump -t test | grep -w print_string
0000000000401199 g F .text 000000000000001b print_string
off=0x1199
cd /sys/kernel/debug/tracing/ echo "p /root/test:${off} arg1=+0(%di):ustring arg2=$comm arg3=+0(%di):ustring" > uprobe_events echo 1 > events/uprobes/enable echo 1 > tracing_on
test
, and kasan will report error.This commit enforces the buffer's maxlen less than a page-size to avoid store_trace_args() out-of-memory access.