跳转到帖子
官方通告:安全方向 - WEB渗透 /Windows & 安卓远控/ 逆向破解 /安全审计 /嵌入式开发联系 Telegram:@HackAptTeam,或者点击此处查看详细介绍。收SHELL、出SHELL。劫持合作。

SUSE: CVE-2024-27399: SUSE Linux Security Advisory

ISHACK AI BOT
ISHACK AI BOT
?day POC 漏洞数据库

recommended_posts

发布于
  • Members

SUSE: CVE-2024-27399: SUSE Linux Security Advisory

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
05/14/2024
Created
06/14/2024
Added
06/13/2024
Modified
08/28/2024

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout There is a race condition between l2cap_chan_timeout() and l2cap_chan_del(). When we use l2cap_chan_del() to delete the channel, the chan->conn will be set to null. But the conn could be dereferenced again in the mutex_lock() of l2cap_chan_timeout(). As a result the null pointer dereference bug will happen. The KASAN report triggered by POC is shown below: [472.074580] ================================================================== [472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0 [472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7 [472.075308] [472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36 [472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [472.075308] Workqueue: events l2cap_chan_timeout [472.075308] Call Trace: [472.075308]<TASK> [472.075308]dump_stack_lvl+0x137/0x1a0 [472.075308]print_report+0x101/0x250 [472.075308]? __virt_addr_valid+0x77/0x160 [472.075308]? mutex_lock+0x68/0xc0 [472.075308]kasan_report+0x139/0x170 [472.075308]? mutex_lock+0x68/0xc0 [472.075308]kasan_check_range+0x2c3/0x2e0 [472.075308]mutex_lock+0x68/0xc0 [472.075308]l2cap_chan_timeout+0x181/0x300 [472.075308]process_one_work+0x5d2/0xe00 [472.075308]worker_thread+0xe1d/0x1660 [472.075308]? pr_cont_work+0x5e0/0x5e0 [472.075308]kthread+0x2b7/0x350 [472.075308]? pr_cont_work+0x5e0/0x5e0 [472.075308]? kthread_blkcg+0xd0/0xd0 [472.075308]ret_from_fork+0x4d/0x80 [472.075308]? kthread_blkcg+0xd0/0xd0 [472.075308]ret_from_fork_asm+0x11/0x20 [472.075308]</TASK> [472.075308] ================================================================== [472.094860] Disabling lock debugging due to kernel taint [472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158 [472.096136] #PF: supervisor write access in kernel mode [472.096136] #PF: error_code(0x0002) - not-present page [472.096136] PGD 0 P4D 0 [472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI [472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: GB6.9.0-rc5-00356-g78c0094a146b #36 [472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [472.096136] Workqueue: events l2cap_chan_timeout [472.096136] RIP: 0010:mutex_lock+0x88/0xc0 [472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88 [472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246 [472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865 [472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78 [472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f [472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000 [472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00 [472.096136] FS:0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000 [472.096136] CS:0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0 [472.096136] Call Trace: [472.096136]<TASK> [472.096136]? __die_body+0x8d/0xe0 [472.096136]? page_fault_oops+0x6b8/0x9a0 [472.096136]? kernelmode_fixup_or_oops+0x20c/0x2a0 [472.096136]? do_user_addr_fault+0x1027/0x1340 [472.096136]? _printk+0x7a/0xa0 [472.096136]? mutex_lock+0x68/0xc0 [472.096136]? add_taint+0x42/0xd0 [472.096136]? exc_page_fault+0x6a/0x1b0 [472.096136]? asm_exc_page_fault+0x26/0x30 [472.096136]? mutex_lock+0x75/0xc0 [472.096136]? mutex_lock+0x88/0xc0 [472.096136]? mutex_lock+0x75/0xc0 [472.096136]l2cap_chan_timeo ---truncated---

Solution(s)

  • suse-upgrade-cluster-md-kmp-64kb
  • suse-upgrade-cluster-md-kmp-azure
  • suse-upgrade-cluster-md-kmp-default
  • suse-upgrade-cluster-md-kmp-rt
  • suse-upgrade-dlm-kmp-64kb
  • suse-upgrade-dlm-kmp-azure
  • suse-upgrade-dlm-kmp-default
  • suse-upgrade-dlm-kmp-rt
  • suse-upgrade-dtb-allwinner
  • suse-upgrade-dtb-altera
  • suse-upgrade-dtb-amazon
  • suse-upgrade-dtb-amd
  • suse-upgrade-dtb-amlogic
  • suse-upgrade-dtb-apm
  • suse-upgrade-dtb-apple
  • suse-upgrade-dtb-arm
  • suse-upgrade-dtb-broadcom
  • suse-upgrade-dtb-cavium
  • suse-upgrade-dtb-exynos
  • suse-upgrade-dtb-freescale
  • suse-upgrade-dtb-hisilicon
  • suse-upgrade-dtb-lg
  • suse-upgrade-dtb-marvell
  • suse-upgrade-dtb-mediatek
  • suse-upgrade-dtb-nvidia
  • suse-upgrade-dtb-qcom
  • suse-upgrade-dtb-renesas
  • suse-upgrade-dtb-rockchip
  • suse-upgrade-dtb-socionext
  • suse-upgrade-dtb-sprd
  • suse-upgrade-dtb-xilinx
  • suse-upgrade-gfs2-kmp-64kb
  • suse-upgrade-gfs2-kmp-azure
  • suse-upgrade-gfs2-kmp-default
  • suse-upgrade-gfs2-kmp-rt
  • suse-upgrade-kernel-64kb
  • suse-upgrade-kernel-64kb-devel
  • suse-upgrade-kernel-64kb-extra
  • suse-upgrade-kernel-64kb-livepatch-devel
  • suse-upgrade-kernel-64kb-optional
  • suse-upgrade-kernel-azure
  • suse-upgrade-kernel-azure-base
  • suse-upgrade-kernel-azure-devel
  • suse-upgrade-kernel-azure-extra
  • suse-upgrade-kernel-azure-livepatch-devel
  • suse-upgrade-kernel-azure-optional
  • suse-upgrade-kernel-azure-vdso
  • suse-upgrade-kernel-debug
  • suse-upgrade-kernel-debug-devel
  • suse-upgrade-kernel-debug-livepatch-devel
  • suse-upgrade-kernel-debug-vdso
  • suse-upgrade-kernel-default
  • suse-upgrade-kernel-default-base
  • suse-upgrade-kernel-default-base-rebuild
  • suse-upgrade-kernel-default-devel
  • suse-upgrade-kernel-default-extra
  • suse-upgrade-kernel-default-livepatch
  • suse-upgrade-kernel-default-livepatch-devel
  • suse-upgrade-kernel-default-man
  • suse-upgrade-kernel-default-optional
  • suse-upgrade-kernel-default-vdso
  • suse-upgrade-kernel-devel
  • suse-upgrade-kernel-devel-azure
  • suse-upgrade-kernel-devel-rt
  • suse-upgrade-kernel-docs
  • suse-upgrade-kernel-docs-html
  • suse-upgrade-kernel-kvmsmall
  • suse-upgrade-kernel-kvmsmall-devel
  • suse-upgrade-kernel-kvmsmall-livepatch-devel
  • suse-upgrade-kernel-kvmsmall-vdso
  • suse-upgrade-kernel-macros
  • suse-upgrade-kernel-obs-build
  • suse-upgrade-kernel-obs-qa
  • suse-upgrade-kernel-rt
  • suse-upgrade-kernel-rt-devel
  • suse-upgrade-kernel-rt-extra
  • suse-upgrade-kernel-rt-livepatch
  • suse-upgrade-kernel-rt-livepatch-devel
  • suse-upgrade-kernel-rt-optional
  • suse-upgrade-kernel-rt-vdso
  • suse-upgrade-kernel-rt_debug
  • suse-upgrade-kernel-rt_debug-devel
  • suse-upgrade-kernel-rt_debug-livepatch-devel
  • suse-upgrade-kernel-rt_debug-vdso
  • suse-upgrade-kernel-source
  • suse-upgrade-kernel-source-azure
  • suse-upgrade-kernel-source-rt
  • suse-upgrade-kernel-source-vanilla
  • suse-upgrade-kernel-syms
  • suse-upgrade-kernel-syms-azure
  • suse-upgrade-kernel-syms-rt
  • suse-upgrade-kernel-zfcpdump
  • suse-upgrade-kselftests-kmp-64kb
  • suse-upgrade-kselftests-kmp-azure
  • suse-upgrade-kselftests-kmp-default
  • suse-upgrade-kselftests-kmp-rt
  • suse-upgrade-ocfs2-kmp-64kb
  • suse-upgrade-ocfs2-kmp-azure
  • suse-upgrade-ocfs2-kmp-default
  • suse-upgrade-ocfs2-kmp-rt
  • suse-upgrade-reiserfs-kmp-64kb
  • suse-upgrade-reiserfs-kmp-azure
  • suse-upgrade-reiserfs-kmp-default
  • suse-upgrade-reiserfs-kmp-rt

References

  • https://attackerkb.com/topics/cve-2024-27399
  • CVE - 2024-27399
  • 引用
  • Mention
    • 查看数 698
    • 已创建
    • 最后回复

    参与讨论

    你可立刻发布并稍后注册。 如果你有帐户,立刻登录发布帖子。
    注意:你的帖子需要版主批准后才能看到。

    游客
    回帖…
    转到主题列表