目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CVE-2022-49006— Linux kernel 安全漏洞

AI 预测 7.8 利用难度: 困难 EPSS 0.26% · P17

影响版本矩阵 12

厂商产品版本范围状态
LinuxLinux77b44d1b7c28360910cdbd427fb62d485c08674c< 1603feac154ff38514e8354e3079a455eb4801e2affected
77b44d1b7c28360910cdbd427fb62d485c08674c< be111ebd8868d4b7c041cb3c6102e1ae27d6dc1daffected
77b44d1b7c28360910cdbd427fb62d485c08674c< 417d5ea6e735e5d88ffb6c436cf2938f3f476dd1affected
77b44d1b7c28360910cdbd427fb62d485c08674c< c52d0c8c4f38f7580cff61c4dfe1034c580cedfdaffected
77b44d1b7c28360910cdbd427fb62d485c08674c< 4313e5a613049dfc1819a6dfb5f94cf2caff9452affected
2.6.33affected
< 2.6.33unaffected
5.4.226≤ 5.4.*unaffected
… +4 条更多
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2022-49006 基础信息

漏洞信息

对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
tracing: Free buffers when a used dynamic event is removed
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: tracing: Free buffers when a used dynamic event is removed After 65536 dynamic events have been added and removed, the "type" field of the event then uses the first type number that is available (not currently used by other events). A type number is the identifier of the binary blobs in the tracing ring buffer (known as events) to map them to logic that can parse the binary blob. The issue is that if a dynamic event (like a kprobe event) is traced and is in the ring buffer, and then that event is removed (because it is dynamic, which means it can be created and destroyed), if another dynamic event is created that has the same number that new event's logic on parsing the binary blob will be used. To show how this can be an issue, the following can crash the kernel: # cd /sys/kernel/tracing # for i in `seq 65536`; do echo 'p:kprobes/foo do_sys_openat2 $arg1:u32' > kprobe_events # done For every iteration of the above, the writing to the kprobe_events will remove the old event and create a new one (with the same format) and increase the type number to the next available on until the type number reaches over 65535 which is the max number for the 16 bit type. After it reaches that number, the logic to allocate a new number simply looks for the next available number. When an dynamic event is removed, that number is then available to be reused by the next dynamic event created. That is, once the above reaches the max number, the number assigned to the event in that loop will remain the same. Now that means deleting one dynamic event and created another will reuse the previous events type number. This is where bad things can happen. After the above loop finishes, the kprobes/foo event which reads the do_sys_openat2 function call's first parameter as an integer. # echo 1 > kprobes/foo/enable # cat /etc/passwd > /dev/null # cat trace cat-2211 [005] .... 2007.849603: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849620: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849838: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849880: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 # echo 0 > kprobes/foo/enable Now if we delete the kprobe and create a new one that reads a string: # echo 'p:kprobes/foo do_sys_openat2 +0($arg2):string' > kprobe_events And now we can the trace: # cat trace sendmail-1942 [002] ..... 530.136320: foo: (do_sys_openat2+0x0/0x240) arg1= cat-2046 [004] ..... 530.930817: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������" cat-2046 [004] ..... 530.930961: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������" cat-2046 [004] ..... 530.934278: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������" cat-2046 [004] ..... 530.934563: foo: (do_sys_openat2+0x0/0x240) arg1="��������������������������������������� ---truncated---
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
Linux kernel 安全漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于tracing子系统中动态事件移除后缓冲区未释放的问题,可能导致内核崩溃。
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD

受影响产品

厂商产品影响版本CPE订阅
LinuxLinux 77b44d1b7c28360910cdbd427fb62d485c08674c ~ 1603feac154ff38514e8354e3079a455eb4801e2 -
LinuxLinux 2.6.33 -

二、漏洞 CVE-2022-49006 的公开POC

#POC 描述源链接神龙链接
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC

三、漏洞 CVE-2022-49006 的情报信息

登录查看更多情报信息。

CVE-2022-49006 补丁与修复 (5)

同批安全公告 · Linux · 2024-10-21 · 共 372 条

CVE-2024-50017Linux kernel 安全漏洞
CVE-2024-50028Linux kernel 安全漏洞
CVE-2024-50029Linux kernel 安全漏洞
CVE-2024-50027Linux kernel 安全漏洞
CVE-2024-50025Linux kernel 安全漏洞
CVE-2024-50026Linux kernel 安全漏洞
CVE-2024-50023Linux kernel 安全漏洞
CVE-2024-50024Linux kernel 安全漏洞
CVE-2024-50022Linux kernel 安全漏洞
CVE-2024-50021Linux kernel 安全漏洞
CVE-2024-50020Linux kernel 安全漏洞
CVE-2024-50019Linux kernel 安全漏洞
CVE-2024-50010Linux kernel 安全漏洞
CVE-2024-50005Linux kernel 安全漏洞
CVE-2024-50006Linux kernel 安全漏洞
CVE-2024-50007Linux kernel 安全漏洞
CVE-2024-50008Linux kernel 安全漏洞
CVE-2024-50009Linux kernel 安全漏洞
CVE-2024-50013Linux kernel 安全漏洞
CVE-2024-50015Linux kernel 安全漏洞

显示前 20 条,共 372 条。 查看全部 &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2022-49006

暂无评论


发表评论