From 7688f0a2002ce8cdcdee99e988809ff94d528c18 Mon Sep 17 00:00:00 2001 From: wzk Date: Fri, 10 Mar 2023 07:42:16 +0000 Subject: [PATCH 1/7] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2023-1118?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2023/CVE-2023-1118/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2023/CVE-2023-1118/.keep diff --git a/cve/linux-kernel/2023/CVE-2023-1118/.keep b/cve/linux-kernel/2023/CVE-2023-1118/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 5e92d96cd668a6a94c9e4ec8bf64fdcce5a784a6 Mon Sep 17 00:00:00 2001 From: wzk Date: Fri, 10 Mar 2023 08:04:36 +0000 Subject: [PATCH 2/7] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2023-23003?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2023/CVE-2023-23003/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2023/CVE-2023-23003/.keep diff --git a/cve/linux-kernel/2023/CVE-2023-23003/.keep b/cve/linux-kernel/2023/CVE-2023-23003/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 2f7032fabe574661399abc899277b886c77ff913 Mon Sep 17 00:00:00 2001 From: wzk Date: Fri, 10 Mar 2023 08:42:27 +0000 Subject: [PATCH 3/7] =?UTF-8?q?add=20cve/linux-kernel/2023/CVE-2023-23003/?= =?UTF-8?q?expr.c.=20=E5=9C=A8=205.16=20=E4=B9=8B=E5=89=8D=E7=9A=84=20Linu?= =?UTF-8?q?x=20=E5=86=85=E6=A0=B8=E4=B8=AD=EF=BC=8Ctools/perf/util/expr.c?= =?UTF-8?q?=20=E7=BC=BA=E5=B0=91=E5=AF=B9hashmap=5F=5Fnew=E8=BF=94?= =?UTF-8?q?=E5=9B=9E=E5=80=BC=E7=9A=84=E6=A3=80=E6=9F=A5=E3=80=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: wzk --- cve/linux-kernel/2023/CVE-2023-23003/expr.c | 354 ++++++++++++++++++++ 1 file changed, 354 insertions(+) create mode 100644 cve/linux-kernel/2023/CVE-2023-23003/expr.c diff --git a/cve/linux-kernel/2023/CVE-2023-23003/expr.c b/cve/linux-kernel/2023/CVE-2023-23003/expr.c new file mode 100644 index 00000000..0e589551 --- /dev/null +++ b/cve/linux-kernel/2023/CVE-2023-23003/expr.c @@ -0,0 +1,354 @@ +#include "expr-bison.h" +#include "expr-flex.h" +#include "smt.h" +#include +#include +#include +#include +#include +#ifdef PARSER_DEBUG +extern int expr_debug; +#endif +struct expr_id_data { + union { + struct { + double val; + int source_count; + } val; + struct { + double val; + const char *metric_name; + const char *metric_expr; + } ref; + }; + enum { + /* Holding a double value. */ + EXPR_ID_DATA__VALUE, + /* Reference to another metric. */ + EXPR_ID_DATA__REF, + /* A reference but the value has been computed. */ + EXPR_ID_DATA__REF_VALUE, + } kind; +}; +static size_t key_hash(const void *key, void *ctx __maybe_unused) +{ + const char *str = (const char *)key; + size_t hash = 0; + while (*str != '\0') { + hash *= 31; + hash += *str; + str++; + } + return hash; +} +static bool key_equal(const void *key1, const void *key2, + void *ctx __maybe_unused) +{ + return !strcmp((const char *)key1, (const char *)key2); +} +struct hashmap *ids__new(void) +{ + return hashmap__new(key_hash, key_equal, NULL); +} +void ids__free(struct hashmap *ids) +{ + struct hashmap_entry *cur; + size_t bkt; + if (ids == NULL) + return; + hashmap__for_each_entry(ids, cur, bkt) { + free((char *)cur->key); + free(cur->value); + } + hashmap__free(ids); +} +int ids__insert(struct hashmap *ids, const char *id) +{ + struct expr_id_data *data_ptr = NULL, *old_data = NULL; + char *old_key = NULL; + int ret; + ret = hashmap__set(ids, id, data_ptr, + (const void **)&old_key, (void **)&old_data); + if (ret) + free(data_ptr); + free(old_key); + free(old_data); + return ret; +} +struct hashmap *ids__union(struct hashmap *ids1, struct hashmap *ids2) +{ + size_t bkt; + struct hashmap_entry *cur; + int ret; + struct expr_id_data *old_data = NULL; + char *old_key = NULL; + if (!ids1) + return ids2; + if (!ids2) + return ids1; + if (hashmap__size(ids1) < hashmap__size(ids2)) { + struct hashmap *tmp = ids1; + ids1 = ids2; + ids2 = tmp; + } + hashmap__for_each_entry(ids2, cur, bkt) { + ret = hashmap__set(ids1, cur->key, cur->value, + (const void **)&old_key, (void **)&old_data); + free(old_key); + free(old_data); + if (ret) { + hashmap__free(ids1); + hashmap__free(ids2); + return NULL; + } + } + hashmap__free(ids2); + return ids1; +} +/* Caller must make sure id is allocated */ +int expr__add_id(struct expr_parse_ctx *ctx, const char *id) +{ + return ids__insert(ctx->ids, id); +} +/* Caller must make sure id is allocated */ +int expr__add_id_val(struct expr_parse_ctx *ctx, const char *id, double val) +{ + return expr__add_id_val_source_count(ctx, id, val, /*source_count=*/1); +} +/* Caller must make sure id is allocated */ +int expr__add_id_val_source_count(struct expr_parse_ctx *ctx, const char *id, + double val, int source_count) +{ + struct expr_id_data *data_ptr = NULL, *old_data = NULL; + char *old_key = NULL; + int ret; + data_ptr = malloc(sizeof(*data_ptr)); + if (!data_ptr) + return -ENOMEM; + data_ptr->val.val = val; + data_ptr->val.source_count = source_count; + data_ptr->kind = EXPR_ID_DATA__VALUE; + ret = hashmap__set(ctx->ids, id, data_ptr, + (const void **)&old_key, (void **)&old_data); + if (ret) + free(data_ptr); + free(old_key); + free(old_data); + return ret; +} +int expr__add_ref(struct expr_parse_ctx *ctx, struct metric_ref *ref) +{ + struct expr_id_data *data_ptr = NULL, *old_data = NULL; + char *old_key = NULL; + char *name, *p; + int ret; + data_ptr = zalloc(sizeof(*data_ptr)); + if (!data_ptr) + return -ENOMEM; + name = strdup(ref->metric_name); + if (!name) { + free(data_ptr); + return -ENOMEM; + } + /* + * The jevents tool converts all metric expressions + * to lowercase, including metric references, hence + * we need to add lowercase name for metric, so it's + * properly found. + */ + for (p = name; *p; p++) + *p = tolower(*p); + /* + * Intentionally passing just const char pointers, + * originally from 'struct pmu_event' object. + * We don't need to change them, so there's no + * need to create our own copy. + */ + data_ptr->ref.metric_name = ref->metric_name; + data_ptr->ref.metric_expr = ref->metric_expr; + data_ptr->kind = EXPR_ID_DATA__REF; + ret = hashmap__set(ctx->ids, name, data_ptr, + (const void **)&old_key, (void **)&old_data); + if (ret) + free(data_ptr); + pr_debug2("adding ref metric %s: %s\n", + ref->metric_name, ref->metric_expr); + free(old_key); + free(old_data); + return ret; +} +int expr__get_id(struct expr_parse_ctx *ctx, const char *id, + struct expr_id_data **data) +{ + return hashmap__find(ctx->ids, id, (void **)data) ? 0 : -1; +} +bool expr__subset_of_ids(struct expr_parse_ctx *haystack, + struct expr_parse_ctx *needles) +{ + struct hashmap_entry *cur; + size_t bkt; + struct expr_id_data *data; + hashmap__for_each_entry(needles->ids, cur, bkt) { + if (expr__get_id(haystack, cur->key, &data)) + return false; + } + return true; +} +int expr__resolve_id(struct expr_parse_ctx *ctx, const char *id, + struct expr_id_data **datap) +{ + struct expr_id_data *data; + if (expr__get_id(ctx, id, datap) || !*datap) { + pr_debug("%s not found\n", id); + return -1; + } + data = *datap; + switch (data->kind) { + case EXPR_ID_DATA__VALUE: + pr_debug2("lookup(%s): val %f\n", id, data->val.val); + break; + case EXPR_ID_DATA__REF: + pr_debug2("lookup(%s): ref metric name %s\n", id, + data->ref.metric_name); + pr_debug("processing metric: %s ENTRY\n", id); + data->kind = EXPR_ID_DATA__REF_VALUE; + if (expr__parse(&data->ref.val, ctx, data->ref.metric_expr)) { + pr_debug("%s failed to count\n", id); + return -1; + } + pr_debug("processing metric: %s EXIT: %f\n", id, data->ref.val); + break; + case EXPR_ID_DATA__REF_VALUE: + pr_debug2("lookup(%s): ref val %f metric name %s\n", id, + data->ref.val, data->ref.metric_name); + break; + default: + assert(0); /* Unreachable. */ + } + return 0; +} +void expr__del_id(struct expr_parse_ctx *ctx, const char *id) +{ + struct expr_id_data *old_val = NULL; + char *old_key = NULL; + hashmap__delete(ctx->ids, id, + (const void **)&old_key, (void **)&old_val); + free(old_key); + free(old_val); +} +struct expr_parse_ctx *expr__ctx_new(void) +{ + struct expr_parse_ctx *ctx; + ctx = malloc(sizeof(struct expr_parse_ctx)); + if (!ctx) + return NULL; + + ctx->ids = hashmap__new(key_hash, key_equal, NULL); + if (IS_ERR(ctx->ids)) { + free(ctx); + return NULL; + } + ctx->runtime = 0; + + return ctx; +} +void expr__ctx_clear(struct expr_parse_ctx *ctx) +{ + struct hashmap_entry *cur; + size_t bkt; + hashmap__for_each_entry(ctx->ids, cur, bkt) { + free((char *)cur->key); + free(cur->value); + } + hashmap__clear(ctx->ids); +} +void expr__ctx_free(struct expr_parse_ctx *ctx) +{ + struct hashmap_entry *cur; + size_t bkt; + hashmap__for_each_entry(ctx->ids, cur, bkt) { + free((char *)cur->key); + free(cur->value); + } + hashmap__free(ctx->ids); + free(ctx); +} +static int +__expr__parse(double *val, struct expr_parse_ctx *ctx, const char *expr, + bool compute_ids) +{ + struct expr_scanner_ctx scanner_ctx = { + .runtime = ctx->runtime, + }; + YY_BUFFER_STATE buffer; + void *scanner; + int ret; + pr_debug2("parsing metric: %s\n", expr); + ret = expr_lex_init_extra(&scanner_ctx, &scanner); + if (ret) + return ret; + buffer = expr__scan_string(expr, scanner); +#ifdef PARSER_DEBUG + expr_debug = 1; + expr_set_debug(1, scanner); +#endif + ret = expr_parse(val, ctx, compute_ids, scanner); + expr__flush_buffer(buffer, scanner); + expr__delete_buffer(buffer, scanner); + expr_lex_destroy(scanner); + return ret; +} +int expr__parse(double *final_val, struct expr_parse_ctx *ctx, + const char *expr) +{ + return __expr__parse(final_val, ctx, expr, /*compute_ids=*/false) ? -1 : 0; +} +int expr__find_ids(const char *expr, const char *one, + struct expr_parse_ctx *ctx) +{ + int ret = __expr__parse(NULL, ctx, expr, /*compute_ids=*/true); + if (one) + expr__del_id(ctx, one); + return ret; +} +double expr_id_data__value(const struct expr_id_data *data) +{ + if (data->kind == EXPR_ID_DATA__VALUE) + return data->val.val; + assert(data->kind == EXPR_ID_DATA__REF_VALUE); + return data->ref.val; +} +double expr_id_data__source_count(const struct expr_id_data *data) +{ + assert(data->kind == EXPR_ID_DATA__VALUE); + return data->val.source_count; +} +double expr__get_literal(const char *literal) +{ + static struct cpu_topology *topology; + if (!strcmp("#smt_on", literal)) + return smt_on() > 0 ? 1.0 : 0.0; + if (!strcmp("#num_cpus", literal)) + return cpu__max_present_cpu(); + /* + * Assume that topology strings are consistent, such as CPUs "0-1" + * wouldn't be listed as "0,1", and so after deduplication the number of + * these strings gives an indication of the number of packages, dies, + * etc. + */ + if (!topology) { + topology = cpu_topology__new(); + if (!topology) { + pr_err("Error creating CPU topology"); + return NAN; + } + } + if (!strcmp("#num_packages", literal)) + return topology->package_cpus_lists; + if (!strcmp("#num_dies", literal)) + return topology->die_cpus_lists; + if (!strcmp("#num_cores", literal)) + return topology->core_cpus_lists; + pr_err("Unrecognized literal '%s'", literal); + return NAN; +} \ No newline at end of file -- Gitee From 0058ec42cd48503e6b704cdbbd907604c02780c9 Mon Sep 17 00:00:00 2001 From: wzk Date: Tue, 14 Mar 2023 11:55:52 +0000 Subject: [PATCH 4/7] =?UTF-8?q?update=20=E6=BC=8F=E6=B4=9E=E6=A8=A1?= =?UTF-8?q?=E7=89=88.yaml.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: wzk --- ...\346\264\236\346\250\241\347\211\210.yaml" | 37 ++++++++++--------- 1 file changed, 19 insertions(+), 18 deletions(-) diff --git "a/\346\274\217\346\264\236\346\250\241\347\211\210.yaml" "b/\346\274\217\346\264\236\346\250\241\347\211\210.yaml" index 1de85f71..6bd62446 100644 --- "a/\346\274\217\346\264\236\346\250\241\347\211\210.yaml" +++ "b/\346\274\217\346\264\236\346\250\241\347\211\210.yaml" @@ -1,19 +1,20 @@ -id: 漏洞编号 -source: 漏洞验证程序来源 +id: CVE-2022-1234 +source: 自主发现 info: - name: 漏洞软件包简介 - severity: 漏洞危害 - description: | - 漏洞描述 - scope-of-influence: - 漏洞影响范围 - reference: - - 漏洞相关链接 - classification: - cvss-metrics: CVSS:3.1 - cvss-score: 漏洞评分 - cve-id: - cwe-id: - cnvd-id: - kve-id: - tags: 漏洞标签 \ No newline at end of file +name: 软件包X的XX漏洞 +severity: 高危 +description: | +软件包X存在XX漏洞,攻击者可以通过XX途径在目标系统上执行任意代码,从而导致机密信息泄漏、系统崩溃等风险。 +scope-of-influence: +影响版本:X.X.X及以下版本 +reference: +- https://securitytracker.com/id/STID123456 +- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1234 +classification: +cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H +cvss-score: 9.8 +cve-id: CVE-2022-1234 +cwe-id: CWE-123 +cnvd-id: CNVD-XXXX-XXXXX +kve-id: KVE-XXXX-XXXXX +tags: 漏洞标签,例如"远程代码执行","权限提升"等等。 \ No newline at end of file -- Gitee From 48163d3c61b6a54693ab3d9868e640b159565a9d Mon Sep 17 00:00:00 2001 From: wzk Date: Tue, 14 Mar 2023 12:09:56 +0000 Subject: [PATCH 5/7] =?UTF-8?q?rename=20=E6=BC=8F=E6=B4=9E=E6=A8=A1?= =?UTF-8?q?=E7=89=88.yaml=20to=20CVE-2023-23003.yaml.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: wzk --- CVE-2023-23003.yaml | 20 +++++++++++++++++++ ...\346\264\236\346\250\241\347\211\210.yaml" | 20 ------------------- 2 files changed, 20 insertions(+), 20 deletions(-) create mode 100644 CVE-2023-23003.yaml delete mode 100644 "\346\274\217\346\264\236\346\250\241\347\211\210.yaml" diff --git a/CVE-2023-23003.yaml b/CVE-2023-23003.yaml new file mode 100644 index 00000000..c71c71b4 --- /dev/null +++ b/CVE-2023-23003.yaml @@ -0,0 +1,20 @@ +id: CVE-2023-23003 +source: Linux kernel prior to 5.16 +info: +name: Linux kernel perf工具expr.c空指针解引用漏洞 +severity: 高危 +description: | +Linux kernel中的perf工具是一种性能测试和调优工具,可以使用它来测量各种系统性能。Linux内核版本5.16之前的perf工具中存在漏洞。由于缺乏对hashmap__new返回值的检查,攻击者可以利用该漏洞来导致空指针解引用和拒绝服务攻击。成功利用此漏洞需要攻击者在系统上拥有一定的权限。 +scope-of-influence: +受影响的版本:Linux kernel版本5.16之前的perf工具。 +reference: +- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23003 +- https://lore.kernel.org/patchwork/patch/1569281/ +classification: +cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H +cvss-score: 8.8 +cve-id: CVE-2023-23003 +cwe-id: CWE-476: NULL Pointer Dereference +cnvd-id: N/A +kve-id: N/A +tags: NULL Pointer Dereference, perf, Linux kernel, denial-of-service \ No newline at end of file diff --git "a/\346\274\217\346\264\236\346\250\241\347\211\210.yaml" "b/\346\274\217\346\264\236\346\250\241\347\211\210.yaml" deleted file mode 100644 index 6bd62446..00000000 --- "a/\346\274\217\346\264\236\346\250\241\347\211\210.yaml" +++ /dev/null @@ -1,20 +0,0 @@ -id: CVE-2022-1234 -source: 自主发现 -info: -name: 软件包X的XX漏洞 -severity: 高危 -description: | -软件包X存在XX漏洞,攻击者可以通过XX途径在目标系统上执行任意代码,从而导致机密信息泄漏、系统崩溃等风险。 -scope-of-influence: -影响版本:X.X.X及以下版本 -reference: -- https://securitytracker.com/id/STID123456 -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1234 -classification: -cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H -cvss-score: 9.8 -cve-id: CVE-2022-1234 -cwe-id: CWE-123 -cnvd-id: CNVD-XXXX-XXXXX -kve-id: KVE-XXXX-XXXXX -tags: 漏洞标签,例如"远程代码执行","权限提升"等等。 \ No newline at end of file -- Gitee From 0f6085458fd763b3e54385c43902ed5c5cd113c1 Mon Sep 17 00:00:00 2001 From: wzk Date: Tue, 14 Mar 2023 12:13:06 +0000 Subject: [PATCH 6/7] add cve/linux-kernel/2023/CVE-2023-23003.yaml. Signed-off-by: wzk --- cve/linux-kernel/2023/CVE-2023-23003.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 cve/linux-kernel/2023/CVE-2023-23003.yaml diff --git a/cve/linux-kernel/2023/CVE-2023-23003.yaml b/cve/linux-kernel/2023/CVE-2023-23003.yaml new file mode 100644 index 00000000..51f4eb05 --- /dev/null +++ b/cve/linux-kernel/2023/CVE-2023-23003.yaml @@ -0,0 +1,20 @@ +id: CVE-2023-23003 +source: Linux kernel prior to 5.16 +info: +name: Linux kernel perf工具expr.c空指针解引用漏洞 +severity: 高危 +description: | +Linux kernel中的perf工具是一种性能测试和调优工具,可以使用它来测量各种系统性能。Linux内核版本5.16之前的perf工具中存在漏洞。由于缺乏对hashmap__new返回值的检查,攻击者可以利用该漏洞来导致空指针解引用和拒绝服务攻击。成功利用此漏洞需要攻击者在系统上拥有一定的权限。 +scope-of-influence: +受影响的版本:Linux kernel版本5.16之前的perf工具。 +reference: +- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23003 +- https://lore.kernel.org/patchwork/patch/1569281/ +classification: +cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H +cvss-score: 8.8 +cve-id: CVE-2023-23003 +cwe-id: CWE-476: NULL Pointer Dereference +cnvd-id: N/A +kve-id: N/A +tags: NULL Pointer Dereference, perf, Linux kernel, denial-of-service \ No newline at end of file -- Gitee From 2b60674b317d47a2ba8408f3e16b243baebd0c34 Mon Sep 17 00:00:00 2001 From: wzk Date: Tue, 14 Mar 2023 12:14:04 +0000 Subject: [PATCH 7/7] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?linux-kernel/2023/CVE-2023-23003/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2023/CVE-2023-23003/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/linux-kernel/2023/CVE-2023-23003/.keep diff --git a/cve/linux-kernel/2023/CVE-2023-23003/.keep b/cve/linux-kernel/2023/CVE-2023-23003/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee