CVE-2024-55916

{"id": "CVE-2024-55916", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-01-11T13:15:28.353", "references": [{"url": "https://git.kernel.org/stable/c/042253c57be901bfd19f15b68267442b70f510d5", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/07a756a49f4b4290b49ea46e089cbe6f79ff8d26", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3dd7a30c6d7f90afcf19e9b072f572ba524d7ec6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/718fe694a334be9d1a89eed22602369ac18d6583", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/89fcec5e466b3ac9b376e0d621c71effa1a7983f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d81f4e73aff9b861671df60e5100ad25cc16fbf8", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f091a224a2c82f1e302b1768d73bb6332f687321", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: util: Avoid accessing a ringbuffer not initialized yet\n\nIf the KVP (or VSS) daemon starts before the VMBus channel's ringbuffer is\nfully initialized, we can hit the panic below:\n\nhv_utils: Registering HyperV Utility Driver\nhv_vmbus: registering driver hv_utils\n...\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nCPU: 44 UID: 0 PID: 2552 Comm: hv_kvp_daemon Tainted: G E 6.11.0-rc3+ #1\nRIP: 0010:hv_pkt_iter_first+0x12/0xd0\nCall Trace:\n...\n vmbus_recvpacket\n hv_kvp_onchannelcallback\n vmbus_on_event\n tasklet_action_common\n tasklet_action\n handle_softirqs\n irq_exit_rcu\n sysvec_hyperv_stimer0\n </IRQ>\n <TASK>\n asm_sysvec_hyperv_stimer0\n...\n kvp_register_done\n hvt_op_read\n vfs_read\n ksys_read\n __x64_sys_read\n\nThis can happen because the KVP/VSS channel callback can be invoked\neven before the channel is fully opened:\n1) as soon as hv_kvp_init() -> hvutil_transport_init() creates\n/dev/vmbus/hv_kvp, the kvp daemon can open the device file immediately and\nregister itself to the driver by writing a message KVP_OP_REGISTER1 to the\nfile (which is handled by kvp_on_msg() ->kvp_handle_handshake()) and\nreading the file for the driver's response, which is handled by\nhvt_op_read(), which calls hvt->on_read(), i.e. kvp_register_done().\n\n2) the problem with kvp_register_done() is that it can cause the\nchannel callback to be called even before the channel is fully opened,\nand when the channel callback is starting to run, util_probe()->\nvmbus_open() may have not initialized the ringbuffer yet, so the\ncallback can hit the panic of NULL pointer dereference.\n\nTo reproduce the panic consistently, we can add a \"ssleep(10)\" for KVP in\n__vmbus_open(), just before the first hv_ringbuffer_init(), and then we\nunload and reload the driver hv_utils, and run the daemon manually within\nthe 10 seconds.\n\nFix the panic by reordering the steps in util_probe() so the char dev\nentry used by the KVP or VSS daemon is not created until after\nvmbus_open() has completed. This reordering prevents the race condition\nfrom happening."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Controladores: hv: util: evitar acceder a un b\u00fafer de anillo que a\u00fan no se ha inicializado Si el demonio KVP (o VSS) se inicia antes de que el b\u00fafer de anillo del canal VMBus se haya inicializado por completo, podemos activar el p\u00e1nico siguiente: hv_utils: registrar el controlador de la utilidad HyperV hv_vmbus: registrar el controlador hv_utils ... ERROR: desreferencia de puntero NULL del kernel, direcci\u00f3n: 000000000000000 CPU: 44 UID: 0 PID: 2552 Comm: hv_kvp_daemon Tainted: GE 6.11.0-rc3+ #1 RIP: 0010:hv_pkt_iter_first+0x12/0xd0 Seguimiento de llamadas: ... vmbus_recvpacket hv_kvp_onchannelcallback vmbus_on_event tasklet_action_common asm_sysvec_hyperv_stimer0 ... kvp_register_done hvt_op_read vfs_read ksys_read __x64_sys_read Esto puede suceder porque la devoluci\u00f3n de llamada del canal KVP/VSS se puede invocar incluso antes de que el canal est\u00e9 completamente abierto: 1) tan pronto como hv_kvp_init() -&gt; hvutil_transport_init() crea /dev/vmbus/hv_kvp, el demonio kvp puede abrir el archivo del dispositivo inmediatamente y registrarse en el controlador escribiendo un mensaje KVP_OP_REGISTER1 en el archivo (que es manejado por kvp_on_msg() -&gt;kvp_handle_handshake()) y leyendo el archivo para la respuesta del controlador, que es manejada por hvt_op_read(), que llama a hvt-&gt;on_read(), es decir, kvp_register_done(). 2) El problema con kvp_register_done() es que puede provocar que se llame a la devoluci\u00f3n de llamada del canal incluso antes de que el canal est\u00e9 completamente abierto, y cuando la devoluci\u00f3n de llamada del canal est\u00e1 comenzando a ejecutarse, util_probe()-&gt; vmbus_open() puede no haber inicializado a\u00fan el ringbuffer, por lo que la devoluci\u00f3n de llamada puede alcanzar el p\u00e1nico de la desreferencia de puntero NULL. Para reproducir el p\u00e1nico de manera consistente, podemos agregar un \"ssleep(10)\" para KVP en __vmbus_open(), justo antes del primer hv_ringbuffer_init(), y luego descargamos y volvemos a cargar el controlador hv_utils, y ejecutamos el demonio manualmente dentro de los 10 segundos. Solucione el problema reordenando los pasos en util_probe() de modo que la entrada char dev que utiliza el demonio KVP o VSS no se cree hasta que se haya completado vmbus_open(). Esta reordenaci\u00f3n evita que se produzca la condici\u00f3n de ejecuci\u00f3n."}], "lastModified": "2025-01-16T15:18:39.293", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DDE15310-57BA-4BA1-87F2-D344FBFF9497", "versionEndExcluding": "5.4.289", "versionStartIncluding": "4.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "44569A17-FE4C-4BE3-9C0C-74AC54C7B51B", "versionEndExcluding": "5.10.233", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DDBD8FC6-2357-4347-BFA1-B4A4A3039F35", "versionEndExcluding": "5.15.176", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3B06AD1C-E7B3-4B24-A884-D3BE92CC042F", "versionEndExcluding": "6.1.122", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74BA9823-CCED-4B24-815D-B82543954BF8", "versionEndExcluding": "6.6.68", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "811AC89A-14AC-49FA-9B54-E99526F1CA47", "versionEndExcluding": "6.12.7", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A073481-106D-4B15-B4C7-FB0213B8E1D4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DE491969-75AE-4A6B-9A58-8FC5AF98798F"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}