CVE-2023-52574 Affecting kernel-debuginfo-common-aarch64 package, versions <0:4.18.0-553.el8_10
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-ROCKY8-KERNELDEBUGINFOCOMMONAARCH64-7264193
- published15 Jun 2024
- disclosed2 Mar 2024
Introduced: 2 Mar 2024
CVE-2023-52574 (opens in a new tab)How to fix?
Upgrade Rocky-Linux:8 kernel-debuginfo-common-aarch64 to version 0:4.18.0-553.el8_10 or higher.
This issue was patched in RLSA-2024:3138.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-debuginfo-common-aarch64 package and not the kernel-debuginfo-common-aarch64 package as distributed by Rocky-Linux.
See How to fix? for Rocky-Linux:8 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
team: fix null-ptr-deref when team device type is changed
Get a null-ptr-deref bug as follows with reproducer [1].
BUG: kernel NULL pointer dereference, address: 0000000000000228 ... RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q] ... Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x82/0x150 ? exc_page_fault+0x69/0x150 ? asm_exc_page_fault+0x26/0x30 ? vlan_dev_hard_header+0x35/0x140 [8021q] ? vlan_dev_hard_header+0x8e/0x140 [8021q] neigh_connected_output+0xb2/0x100 ip6_finish_output2+0x1cb/0x520 ? nf_hook_slow+0x43/0xc0 ? ip6_mtu+0x46/0x80 ip6_finish_output+0x2a/0xb0 mld_sendpack+0x18f/0x250 mld_ifc_work+0x39/0x160 process_one_work+0x1e6/0x3f0 worker_thread+0x4d/0x2f0 ? __pfx_worker_thread+0x10/0x10 kthread+0xe5/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30
[1] $ teamd -t team0 -d -c '{"runner": {"name": "loadbalance"}}' $ ip link add name t-dummy type dummy $ ip link add link t-dummy name t-dummy.100 type vlan id 100 $ ip link add name t-nlmon type nlmon $ ip link set t-nlmon master team0 $ ip link set t-nlmon nomaster $ ip link set t-dummy up $ ip link set team0 up $ ip link set t-dummy.100 down $ ip link set t-dummy.100 master team0
When enslave a vlan device to team device and team device type is changed from non-ether to ether, header_ops of team device is changed to vlan_header_ops. That is incorrect and will trigger null-ptr-deref for vlan->real_dev in vlan_dev_hard_header() because team device is not a vlan device.
Cache eth_header_ops in team_setup(), then assign cached header_ops to header_ops of team net device when its type is changed from non-ether to ether to fix the bug.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52574
- https://git.kernel.org/stable/c/1779eb51b9cc628cee551f252701a85a2a50a457
- https://git.kernel.org/stable/c/2f0acb0736ecc3eb85dc80ad2790d634dcb10b58
- https://git.kernel.org/stable/c/492032760127251e5540a5716a70996bacf2a3fd
- https://git.kernel.org/stable/c/a7fb47b9711101d2405b0eb1276fb1f9b9b270c7
- https://git.kernel.org/stable/c/b44dd92e2afd89eb6e9d27616858e72a67bdc1a7
- https://git.kernel.org/stable/c/c5f6478686bb45f453031594ae19b6c9723a780d
- https://git.kernel.org/stable/c/cac50d9f5d876be32cb9aa21c74018468900284d
- https://git.kernel.org/stable/c/cd05eec2ee0cc396813a32ef675634e403748255