Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-26588

Severity CVSS v4.0:
Pending analysis
Type:
CWE-119 Buffer Errors
Publication date:
22/02/2024
Last modified:
30/10/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> LoongArch: BPF: Prevent out-of-bounds memory access<br /> <br /> The test_tag test triggers an unhandled page fault:<br /> <br /> # ./test_tag<br /> [ 130.640218] CPU 0 Unable to handle kernel paging request at virtual address ffff80001b898004, era == 9000000003137f7c, ra == 9000000003139e70<br /> [ 130.640501] Oops[#3]:<br /> [ 130.640553] CPU: 0 PID: 1326 Comm: test_tag Tainted: G D O 6.7.0-rc4-loong-devel-gb62ab1a397cf #47 61985c1d94084daa2432f771daa45b56b10d8d2a<br /> [ 130.640764] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022<br /> [ 130.640874] pc 9000000003137f7c ra 9000000003139e70 tp 9000000104cb4000 sp 9000000104cb7a40<br /> [ 130.641001] a0 ffff80001b894000 a1 ffff80001b897ff8 a2 000000006ba210be a3 0000000000000000<br /> [ 130.641128] a4 000000006ba210be a5 00000000000000f1 a6 00000000000000b3 a7 0000000000000000<br /> [ 130.641256] t0 0000000000000000 t1 00000000000007f6 t2 0000000000000000 t3 9000000004091b70<br /> [ 130.641387] t4 000000006ba210be t5 0000000000000004 t6 fffffffffffffff0 t7 90000000040913e0<br /> [ 130.641512] t8 0000000000000005 u0 0000000000000dc0 s9 0000000000000009 s0 9000000104cb7ae0<br /> [ 130.641641] s1 00000000000007f6 s2 0000000000000009 s3 0000000000000095 s4 0000000000000000<br /> [ 130.641771] s5 ffff80001b894000 s6 ffff80001b897fb0 s7 9000000004090c50 s8 0000000000000000<br /> [ 130.641900] ra: 9000000003139e70 build_body+0x1fcc/0x4988<br /> [ 130.642007] ERA: 9000000003137f7c build_body+0xd8/0x4988<br /> [ 130.642112] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)<br /> [ 130.642261] PRMD: 00000004 (PPLV0 +PIE -PWE)<br /> [ 130.642353] EUEN: 00000003 (+FPE +SXE -ASXE -BTE)<br /> [ 130.642458] ECFG: 00071c1c (LIE=2-4,10-12 VS=7)<br /> [ 130.642554] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)<br /> [ 130.642658] BADV: ffff80001b898004<br /> [ 130.642719] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)<br /> [ 130.642815] Modules linked in: [last unloaded: bpf_testmod(O)]<br /> [ 130.642924] Process test_tag (pid: 1326, threadinfo=00000000f7f4015f, task=000000006499f9fd)<br /> [ 130.643062] Stack : 0000000000000000 9000000003380724 0000000000000000 0000000104cb7be8<br /> [ 130.643213] 0000000000000000 25af8d9b6e600558 9000000106250ea0 9000000104cb7ae0<br /> [ 130.643378] 0000000000000000 0000000000000000 9000000104cb7be8 90000000049f6000<br /> [ 130.643538] 0000000000000090 9000000106250ea0 ffff80001b894000 ffff80001b894000<br /> [ 130.643685] 00007ffffb917790 900000000313ca94 0000000000000000 0000000000000000<br /> [ 130.643831] ffff80001b894000 0000000000000ff7 0000000000000000 9000000100468000<br /> [ 130.643983] 0000000000000000 0000000000000000 0000000000000040 25af8d9b6e600558<br /> [ 130.644131] 0000000000000bb7 ffff80001b894048 0000000000000000 0000000000000000<br /> [ 130.644276] 9000000104cb7be8 90000000049f6000 0000000000000090 9000000104cb7bdc<br /> [ 130.644423] ffff80001b894000 0000000000000000 00007ffffb917790 90000000032acfb0<br /> [ 130.644572] ...<br /> [ 130.644629] Call Trace:<br /> [ 130.644641] [] build_body+0xd8/0x4988<br /> [ 130.644785] [] bpf_int_jit_compile+0x228/0x4ec<br /> [ 130.644891] [] bpf_prog_select_runtime+0x158/0x1b0<br /> [ 130.645003] [] bpf_prog_load+0x760/0xb44<br /> [ 130.645089] [] __sys_bpf+0xbb8/0x2588<br /> [ 130.645175] [] sys_bpf+0x20/0x2c<br /> [ 130.645259] [] do_syscall+0x7c/0x94<br /> [ 130.645369] [] handle_syscall+0xbc/0x158<br /> [ 130.645507]<br /> [ 130.645539] Code: 380839f6 380831f9 28412bae 004081ad 0014cb50 004083e8 02bff34c 58008e91<br /> [ 130.645729]<br /> [ 130.646418] ---[ end trace 0000000000000000 ]---<br /> <br /> On my machine, which has CONFIG_PAGE_SIZE_16KB=y, the test failed at<br /> loading a BPF prog with 2039 instructions:<br /> <br /> prog = (struct bpf_prog *)ffff80001b894000<br /> insn = (struct bpf_insn *)(prog-&gt;insnsi)fff<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.1 (including) 6.1.75 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.7.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools