CVE-2023-52909

{"id": "CVE-2023-52909", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "published": "2024-08-21T07:15:06.857", "references": [{"url": "https://git.kernel.org/stable/c/0b3a551fa58b4da941efeb209b3770868e2eddd7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/0b778361998d6c6356b8d2fc7ddf025fb3224654", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/45c08a752982116f3287afcd1bd9c50f4fab0c28", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/973acfdfe90c8a4e58ade97ff0653a498531ff2e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix handling of cached open files in nfsd4_open codepath\n\nCommit fb70bf124b05 (\"NFSD: Instantiate a struct file when creating a\nregular NFSv4 file\") added the ability to cache an open fd over a\ncompound. There are a couple of problems with the way this currently\nworks:\n\nIt's racy, as a newly-created nfsd_file can end up with its PENDING bit\ncleared while the nf is hashed, and the nf_file pointer is still zeroed\nout. Other tasks can find it in this state and they expect to see a\nvalid nf_file, and can oops if nf_file is NULL.\n\nAlso, there is no guarantee that we'll end up creating a new nfsd_file\nif one is already in the hash. If an extant entry is in the hash with a\nvalid nf_file, nfs4_get_vfs_file will clobber its nf_file pointer with\nthe value of op_file and the old nf_file will leak.\n\nFix both issues by making a new nfsd_file_acquirei_opened variant that\ntakes an optional file pointer. If one is present when this is called,\nwe'll take a new reference to it instead of trying to open the file. If\nthe nfsd_file already has a valid nf_file, we'll just ignore the\noptional file and pass the nfsd_file back as-is.\n\nAlso rework the tracepoints a bit to allow for an \"opened\" variant and\ndon't try to avoid counting acquisitions in the case where we already\nhave a cached open file."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nfsd: corrige el manejo de archivos abiertos almacenados en cach\u00e9 en la ruta de c\u00f3digo nfsd4_open el commit fb70bf124b05 (\"NFSD: crear una instancia de un archivo de estructura al crear un archivo NFSv4 normal\") agreg\u00f3 la capacidad de almacenar en cach\u00e9 un fd abierto sobre un compuesto. Hay un par de problemas con la forma en que esto funciona actualmente: Es picante, ya que un nfsd_file reci\u00e9n creado puede terminar con su bit PENDIENTE borrado mientras el nf tiene hash, y el puntero nf_file todav\u00eda est\u00e1 puesto a cero. Otras tareas pueden encontrarlo en este estado y esperan ver un nf_file v\u00e1lido, y pueden ir si nf_file es NULL. Adem\u00e1s, no hay garant\u00eda de que terminemos creando un nuevo nfsd_file si ya hay uno en el hash. Si una entrada existente est\u00e1 en el hash con un nf_file v\u00e1lido, nfs4_get_vfs_file golpear\u00e1 su puntero nf_file con el valor de op_file y el antiguo nf_file se filtrar\u00e1. Solucione ambos problemas creando una nueva variante nfsd_file_acquirei_opened que toma un puntero de archivo opcional. Si hay uno presente cuando se llama, tomaremos una nueva referencia en lugar de intentar abrir el archivo. Si el nfsd_file ya tiene un nf_file v\u00e1lido, simplemente ignoraremos el archivo opcional y devolveremos el nfsd_file tal como est\u00e1. Tambi\u00e9n vuelva a trabajar un poco los puntos de seguimiento para permitir una variante \"abierta\" y no intente evitar contar adquisiciones en el caso de que ya tengamos un archivo abierto en cach\u00e9."}], "lastModified": "2024-09-12T14:52:54.573", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A3B4D9E4-9005-47B1-B0C1-FFC9874D6FF6", "versionEndExcluding": "6.1.7", "versionStartIncluding": "5.19"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF501633-2F44-4913-A8EE-B021929F49F6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2BDA597B-CAC1-4DF0-86F0-42E142C654E9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "725C78C9-12CE-406F-ABE8-0813A01D66E8"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}