fkie_cve-2024-36907
Vulnerability from fkie_nvd
Published
2024-05-30 16:15
Modified
2025-03-01 02:46
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: SUNRPC: add a missing rpc_stat for TCP TLS Commit 1548036ef120 ("nfs: make the rpc_stat per net namespace") added functionality to specify rpc_stats function but missed adding it to the TCP TLS functionality. As the result, mounting with xprtsec=tls lead to the following kernel oops. [ 128.984192] Unable to handle kernel NULL pointer dereference at virtual address 000000000000001c [ 128.985058] Mem abort info: [ 128.985372] ESR = 0x0000000096000004 [ 128.985709] EC = 0x25: DABT (current EL), IL = 32 bits [ 128.986176] SET = 0, FnV = 0 [ 128.986521] EA = 0, S1PTW = 0 [ 128.986804] FSC = 0x04: level 0 translation fault [ 128.987229] Data abort info: [ 128.987597] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 128.988169] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 128.988811] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 128.989302] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000106c84000 [ 128.990048] [000000000000001c] pgd=0000000000000000, p4d=0000000000000000 [ 128.990736] Internal error: Oops: 0000000096000004 [#1] SMP [ 128.991168] Modules linked in: nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace netfs uinput dm_mod nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill ip_set nf_tables nfnetlink qrtr vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock sunrpc vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops uvc videobuf2_v4l2 videodev videobuf2_common mc vmw_vmci xfs libcrc32c e1000e crct10dif_ce ghash_ce sha2_ce vmwgfx nvme sha256_arm64 nvme_core sr_mod cdrom sha1_ce drm_ttm_helper ttm drm_kms_helper drm sg fuse [ 128.996466] CPU: 0 PID: 179 Comm: kworker/u4:26 Kdump: loaded Not tainted 6.8.0-rc6+ #12 [ 128.997226] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.21805430.BA64.2305221830 05/22/2023 [ 128.998084] Workqueue: xprtiod xs_tcp_tls_setup_socket [sunrpc] [ 128.998701] pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 128.999384] pc : call_start+0x74/0x138 [sunrpc] [ 128.999809] lr : __rpc_execute+0xb8/0x3e0 [sunrpc] [ 129.000244] sp : ffff8000832b3a00 [ 129.000508] x29: ffff8000832b3a00 x28: ffff800081ac79c0 x27: ffff800081ac7000 [ 129.001111] x26: 0000000004248060 x25: 0000000000000000 x24: ffff800081596008 [ 129.001757] x23: ffff80007b087240 x22: ffff00009a509d30 x21: 0000000000000000 [ 129.002345] x20: ffff000090075600 x19: ffff00009a509d00 x18: ffffffffffffffff [ 129.002912] x17: 733d4d4554535953 x16: 42555300312d746e x15: ffff8000832b3a88 [ 129.003464] x14: ffffffffffffffff x13: ffff8000832b3a7d x12: 0000000000000008 [ 129.004021] x11: 0101010101010101 x10: ffff8000150cb560 x9 : ffff80007b087c00 [ 129.004577] x8 : ffff00009a509de0 x7 : 0000000000000000 x6 : 00000000be8c4ee3 [ 129.005026] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff000094d56680 [ 129.005425] x2 : ffff80007b0637f8 x1 : ffff000090075600 x0 : ffff00009a509d00 [ 129.005824] Call trace: [ 129.005967] call_start+0x74/0x138 [sunrpc] [ 129.006233] __rpc_execute+0xb8/0x3e0 [sunrpc] [ 129.006506] rpc_execute+0x160/0x1d8 [sunrpc] [ 129.006778] rpc_run_task+0x148/0x1f8 [sunrpc] [ 129.007204] tls_probe+0x80/0xd0 [sunrpc] [ 129.007460] rpc_ping+0x28/0x80 [sunrpc] [ 129.007715] rpc_create_xprt+0x134/0x1a0 [sunrpc] [ 129.007999] rpc_create+0x128/0x2a0 [sunrpc] [ 129.008264] xs_tcp_tls_setup_socket+0xdc/0x508 [sunrpc] [ 129.008583] process_one_work+0x174/0x3c8 [ 129.008813] worker_thread+0x2c8/0x3e0 [ 129.009033] kthread+0x100/0x110 [ 129.009225] ret_from_fork+0x10/0x20 [ 129.009432] Code: f0ffffc2 911fe042 aa1403e1 aa1303e0 (b9401c83)
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/024f7744bd09cb2a47a0a96b9c8ad08109de99ccPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8e088a20dbe33919695a8082c0b32deb62d23b4aPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9b332c72299f2ac284ab3d7c0301969b933e4ca1Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/024f7744bd09cb2a47a0a96b9c8ad08109de99ccPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/8e088a20dbe33919695a8082c0b32deb62d23b4aPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/9b332c72299f2ac284ab3d7c0301969b933e4ca1Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *


To clipboard 

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "F6B2EEC6-6406-4FF9-923B-A6664165377F",
                     versionEndExcluding: "5.4.276",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "AC67C71C-2044-40BA-B590-61E562F69F89",
                     versionEndExcluding: "5.10.217",
                     versionStartIncluding: "5.5",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "F16678CD-F7C6-4BF6-ABA8-E7600857197B",
                     versionEndExcluding: "5.15.159",
                     versionStartIncluding: "5.11",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "4F8C886C-75AA-469B-A6A9-12BF1A29C0D5",
                     versionEndExcluding: "6.1.91",
                     versionStartIncluding: "5.16",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: add a missing rpc_stat for TCP TLS\n\nCommit 1548036ef120 (\"nfs: make the rpc_stat per net namespace\") added\nfunctionality to specify rpc_stats function but missed adding it to the\nTCP TLS functionality. As the result, mounting with xprtsec=tls lead to\nthe following kernel oops.\n\n[  128.984192] Unable to handle kernel NULL pointer dereference at\nvirtual address 000000000000001c\n[  128.985058] Mem abort info:\n[  128.985372]   ESR = 0x0000000096000004\n[  128.985709]   EC = 0x25: DABT (current EL), IL = 32 bits\n[  128.986176]   SET = 0, FnV = 0\n[  128.986521]   EA = 0, S1PTW = 0\n[  128.986804]   FSC = 0x04: level 0 translation fault\n[  128.987229] Data abort info:\n[  128.987597]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[  128.988169]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[  128.988811]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[  128.989302] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000106c84000\n[  128.990048] [000000000000001c] pgd=0000000000000000, p4d=0000000000000000\n[  128.990736] Internal error: Oops: 0000000096000004 [#1] SMP\n[  128.991168] Modules linked in: nfs_layout_nfsv41_files\nrpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace netfs\nuinput dm_mod nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill\nip_set nf_tables nfnetlink qrtr vsock_loopback\nvmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock\nsunrpc vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops uvc\nvideobuf2_v4l2 videodev videobuf2_common mc vmw_vmci xfs libcrc32c\ne1000e crct10dif_ce ghash_ce sha2_ce vmwgfx nvme sha256_arm64\nnvme_core sr_mod cdrom sha1_ce drm_ttm_helper ttm drm_kms_helper drm\nsg fuse\n[  128.996466] CPU: 0 PID: 179 Comm: kworker/u4:26 Kdump: loaded Not\ntainted 6.8.0-rc6+ #12\n[  128.997226] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS\nVMW201.00V.21805430.BA64.2305221830 05/22/2023\n[  128.998084] Workqueue: xprtiod xs_tcp_tls_setup_socket [sunrpc]\n[  128.998701] pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[  128.999384] pc : call_start+0x74/0x138 [sunrpc]\n[  128.999809] lr : __rpc_execute+0xb8/0x3e0 [sunrpc]\n[  129.000244] sp : ffff8000832b3a00\n[  129.000508] x29: ffff8000832b3a00 x28: ffff800081ac79c0 x27: ffff800081ac7000\n[  129.001111] x26: 0000000004248060 x25: 0000000000000000 x24: ffff800081596008\n[  129.001757] x23: ffff80007b087240 x22: ffff00009a509d30 x21: 0000000000000000\n[  129.002345] x20: ffff000090075600 x19: ffff00009a509d00 x18: ffffffffffffffff\n[  129.002912] x17: 733d4d4554535953 x16: 42555300312d746e x15: ffff8000832b3a88\n[  129.003464] x14: ffffffffffffffff x13: ffff8000832b3a7d x12: 0000000000000008\n[  129.004021] x11: 0101010101010101 x10: ffff8000150cb560 x9 : ffff80007b087c00\n[  129.004577] x8 : ffff00009a509de0 x7 : 0000000000000000 x6 : 00000000be8c4ee3\n[  129.005026] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff000094d56680\n[  129.005425] x2 : ffff80007b0637f8 x1 : ffff000090075600 x0 : ffff00009a509d00\n[  129.005824] Call trace:\n[  129.005967]  call_start+0x74/0x138 [sunrpc]\n[  129.006233]  __rpc_execute+0xb8/0x3e0 [sunrpc]\n[  129.006506]  rpc_execute+0x160/0x1d8 [sunrpc]\n[  129.006778]  rpc_run_task+0x148/0x1f8 [sunrpc]\n[  129.007204]  tls_probe+0x80/0xd0 [sunrpc]\n[  129.007460]  rpc_ping+0x28/0x80 [sunrpc]\n[  129.007715]  rpc_create_xprt+0x134/0x1a0 [sunrpc]\n[  129.007999]  rpc_create+0x128/0x2a0 [sunrpc]\n[  129.008264]  xs_tcp_tls_setup_socket+0xdc/0x508 [sunrpc]\n[  129.008583]  process_one_work+0x174/0x3c8\n[  129.008813]  worker_thread+0x2c8/0x3e0\n[  129.009033]  kthread+0x100/0x110\n[  129.009225]  ret_from_fork+0x10/0x20\n[  129.009432] Code: f0ffffc2 911fe042 aa1403e1 aa1303e0 (b9401c83)",
      },
      {
         lang: "es",
         value: "En el kernel de Linux, se resolvió la siguiente vulnerabilidad: SUNRPC: agrega un rpc_stat faltante para TCP TLS. El commit 1548036ef120 (\"nfs: crea rpc_stat por espacio de nombres de red\") agregó funcionalidad para especificar la función rpc_stats pero no la agregó a la funcionalidad TCP TLS. . Como resultado, montar con xprtsec=tls conduce a los siguientes errores del kernel. [128.984192] No se puede manejar la desreferencia del puntero NULL del kernel en la dirección virtual 000000000000001c [128.985058] Información de cancelación de memoria: [128.985372] ESR = 0x0000000096000004 [128.985709] EC = 0x25: (EL actual), IL = 32 bits [ 128.986176] SET = 0 , FnV = 0 [ 128.986521] EA = 0, S1PTW = 0 [ 128.986804] FSC = 0x04: error de traducción de nivel 0 [ 128.987229] Información de cancelación de datos: [ 128.987597] ISV = 0, ISS = 0x00000004, ISS2 = 0x000 00000 [ 128.988169] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 128.988811] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 128.989302] tabla de páginas de usuario: páginas de 4k, VA de 48 bits, pgdp=0000000106c84000 [ 128.990048] [000000000000001c] pgd=0000000000000000, p4d=0000000000000000 [ 128.990736] Error interno: Ups: 0000000096000004 [#1] SMP [ 168] Módulos vinculados en: nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd Grace netfs uinput dm_mod nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf _rechazar_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill ip_set nf_tables nfnetlink qrtr vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock pc vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops uvc videobuf2_v4l2 videodev videobuf2_common mc vmw_vmci xfs libcrc32c e1000e crct10dif_ce ghash_ce sha2_ce vmwgfx nvme sha256_arm64 nvme_core sr_mod cdrom sha1_ce _ttm_helper ttm drm_kms_helper drm sg fusible [ 128.996466 ] CPU: 0 PID: 179 Comm: kworker/u4:26 Kdump: cargado No contaminado 6.8.0-rc6+ #12 [ 128.997226] Nombre de hardware: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.21805430.BA64 .2305221830 22/05/2023 [ 128.998084] Cola de trabajo: xprtiod xs_tcp_tls_setup_socket [sunrpc] [ 128.998701] pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 28.999384] ordenador: call_start+0x74/ 0x138 [sunrpc] [128.999809] lr: __rpc_execute+0xb8/0x3e0 [sunrpc] [129.000244] sp: ffff8000832b3a00 [129.000508] x29: ffff8000832b3a00 x28: 0081ac79c0 x27: ffff800081ac7000 [ 129.001111] x26: 0000000004248060 x25: 00000000000000000 x24: ffff800081596008 [ 129.001757] x23: ffff80007b087240 x22: ffff00009a509d30 x21: 0000000000000000 [ 129.002345] x20: ffff000090075600 x19: ffff00009a509d00 x18: [ 129.002912] x17: 733d4d4554535953 x16: 42555300312d746e x15: ffff8000832b3a88 [ 129.003464] x14: ffffffffffffffff x13: ffff8000832b3a7d x12: 0000000000000008 [129.004021] x11: 0101010101010101 x10: ffff8000150cb560 x9: ffff80007b087c00 [129.004577] x8: ffff00009a509de0 x7: 0000000000000000 x6: 00000000be8c4ee3 [ 129.005026] x5: 0000000000000000 x4: 0000000000000000 x3: ffff000094d56680 [129.005425] x2: ffff80007b0637f8 x1: ffff000090075600 x0: 00009a509d00 [ 129.005824] Rastreo de llamadas: [ 129.005967] call_start+0x74/0x138 [sunrpc] [ 129.006233] __rpc_execute+0xb8/0x3e0 [sunrpc] [ 129.006506] rpc_execute+0x160/0x1d8 [sunrpc] [ 129.006778] run_task+0x148/0x1f8 [sunrpc] [ 129.007204] tls_probe+0x80/ 0xd0 [sunrpc] [ 129.007460] rpc_ping+0x28/0x80 [sunrpc] [ 129.007715] rpc_create_xprt+0x134/0x1a0 [sunrpc] [ 129.007999] rpc_create+0x128/0x2a0 [ 129.008264] xs_tcp_tls_setup_socket+0xdc/0x508 [sunrpc] [ 129.008583 ] Process_one_work+0x174/0x3c8 [ 129.008813] work_thread+0x2c8/0x3e0 [ 129.009033] kthread+0x100/0x110 [ 129.009225] ret_from_fork+0x10/0x20 [ 129.009432] Código: ffffc2 911fe042 aa1403e1 aa1303e0 (b9401c83)",
      },
   ],
   id: "CVE-2024-36907",
   lastModified: "2025-03-01T02:46:34.373",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "LOCAL",
               availabilityImpact: "HIGH",
               baseScore: 5.5,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
               version: "3.1",
            },
            exploitabilityScore: 1.8,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2024-05-30T16:15:14.223",
   references: [
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/024f7744bd09cb2a47a0a96b9c8ad08109de99cc",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/8e088a20dbe33919695a8082c0b32deb62d23b4a",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/9b332c72299f2ac284ab3d7c0301969b933e4ca1",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/024f7744bd09cb2a47a0a96b9c8ad08109de99cc",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/8e088a20dbe33919695a8082c0b32deb62d23b4a",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/9b332c72299f2ac284ab3d7c0301969b933e4ca1",
      },
   ],
   sourceIdentifier: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
   vulnStatus: "Analyzed",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-476",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.