CVE-2023-52659

{"id": "CVE-2023-52659", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-05-17T13:15:57.677", "references": [{"url": "https://git.kernel.org/stable/c/325956b0173f11e98f90462be4829a8b8b0682ce", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7e1471888a5e6e846e9b4d306e5327db2b58e64e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/814305b5c23cb815ada68d43019f39050472b25f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8e5647a723c49d73b9f108a8bb38e8c29d3948ea", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/325956b0173f11e98f90462be4829a8b8b0682ce", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/7e1471888a5e6e846e9b4d306e5327db2b58e64e", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/814305b5c23cb815ada68d43019f39050472b25f", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/8e5647a723c49d73b9f108a8bb38e8c29d3948ea", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Ensure input to pfn_to_kaddr() is treated as a 64-bit type\n\nOn 64-bit platforms, the pfn_to_kaddr() macro requires that the input\nvalue is 64 bits in order to ensure that valid address bits don't get\nlost when shifting that input by PAGE_SHIFT to calculate the physical\naddress to provide a virtual address for.\n\nOne such example is in pvalidate_pages() (used by SEV-SNP guests), where\nthe GFN in the struct used for page-state change requests is a 40-bit\nbit-field, so attempts to pass this GFN field directly into\npfn_to_kaddr() ends up causing guest crashes when dealing with addresses\nabove the 1TB range due to the above.\n\nFix this issue with SEV-SNP guests, as well as any similar cases that\nmight cause issues in current/future code, by using an inline function,\ninstead of a macro, so that the input is implicitly cast to the\nexpected 64-bit input type prior to performing the shift operation.\n\nWhile it might be argued that the issue is on the caller side, other\narchs/macros have taken similar approaches to deal with instances like\nthis, such as ARM explicitly casting the input to phys_addr_t:\n\n e48866647b48 (\"ARM: 8396/1: use phys_addr_t in pfn_to_kaddr()\")\n\nA C inline function is even better though.\n\n[ mingo: Refined the changelog some more & added __always_inline. ]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: x86/mm: garantiza que la entrada a pfn_to_kaddr() se trate como un tipo de 64 bits. En plataformas de 64 bits, la macro pfn_to_kaddr() requiere que el valor de entrada sea de 64 bits en para garantizar que los bits de direcci\u00f3n v\u00e1lidos no se pierdan al cambiar esa entrada mediante PAGE_SHIFT para calcular la direcci\u00f3n f\u00edsica para la que proporcionar una direcci\u00f3n virtual. Un ejemplo de ello es pvalidate_pages() (utilizado por invitados SEV-SNP), donde el GFN en la estructura utilizada para las solicitudes de cambio de estado de p\u00e1gina es un campo de bits de 40 bits, por lo que se intenta pasar este campo GFN directamente a pfn_to_kaddr( ) termina causando fallas en los invitados cuando se trata de direcciones por encima del rango de 1 TB debido a lo anterior. Solucione este problema con los invitados SEV-SNP, as\u00ed como cualquier caso similar que pueda causar problemas en el c\u00f3digo actual/futuro, utilizando una funci\u00f3n en l\u00ednea, en lugar de una macro, de modo que la entrada se convierta impl\u00edcitamente a la entrada esperada de 64 bits. tipo antes de realizar la operaci\u00f3n de cambio. Si bien se podr\u00eda argumentar que el problema est\u00e1 en el lado de la persona que llama, otros arcos/macros han adoptado enfoques similares para lidiar con casos como este, como ARM que env\u00eda expl\u00edcitamente la entrada a phys_addr_t: e48866647b48 (\"ARM: 8396/1: use phys_addr_t in pfn_to_kaddr()\") La funci\u00f3n en l\u00ednea AC es a\u00fan mejor. [mingo: refin\u00f3 un poco m\u00e1s el registro de cambios y agreg\u00f3 __always_inline. ]"}], "lastModified": "2025-09-25T15:54:17.010", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "89C006B8-BD53-4D24-9E4A-3482F60C50EC", "versionEndExcluding": "6.6.23", "versionStartIncluding": "6.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9B95D3A6-E162-47D5-ABFC-F3FA74FA7CFD", "versionEndExcluding": "6.7.11", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "543A75FF-25B8-4046-A514-1EA8EDD87AB1", "versionEndExcluding": "6.8.2", "versionStartIncluding": "6.8"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}