Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-49888

Severity CVSS v4.0:
Pending analysis
Type:
CWE-190 Integer Overflow or Wraparound
Publication date:
21/10/2024
Last modified:
13/11/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix a sdiv overflow issue<br /> <br /> Zac Ecob reported a problem where a bpf program may cause kernel crash due<br /> to the following error:<br /> Oops: divide error: 0000 [#1] PREEMPT SMP KASAN PTI<br /> <br /> The failure is due to the below signed divide:<br /> LLONG_MIN/-1 where LLONG_MIN equals to -9,223,372,036,854,775,808.<br /> LLONG_MIN/-1 is supposed to give a positive number 9,223,372,036,854,775,808,<br /> but it is impossible since for 64-bit system, the maximum positive<br /> number is 9,223,372,036,854,775,807. On x86_64, LLONG_MIN/-1 will<br /> cause a kernel exception. On arm64, the result for LLONG_MIN/-1 is<br /> LLONG_MIN.<br /> <br /> Further investigation found all the following sdiv/smod cases may trigger<br /> an exception when bpf program is running on x86_64 platform:<br /> - LLONG_MIN/-1 for 64bit operation<br /> - INT_MIN/-1 for 32bit operation<br /> - LLONG_MIN%-1 for 64bit operation<br /> - INT_MIN%-1 for 32bit operation<br /> where -1 can be an immediate or in a register.<br /> <br /> On arm64, there are no exceptions:<br /> - LLONG_MIN/-1 = LLONG_MIN<br /> - INT_MIN/-1 = INT_MIN<br /> - LLONG_MIN%-1 = 0<br /> - INT_MIN%-1 = 0<br /> where -1 can be an immediate or in a register.<br /> <br /> Insn patching is needed to handle the above cases and the patched codes<br /> produced results aligned with above arm64 result. The below are pseudo<br /> codes to handle sdiv/smod exceptions including both divisor -1 and divisor 0<br /> and the divisor is stored in a register.<br /> <br /> sdiv:<br /> tmp = rX<br /> tmp += 1 /* [-1, 0] -&gt; [0, 1]<br /> if tmp &gt;(unsigned) 1 goto L2<br /> if tmp == 0 goto L1<br /> rY = 0<br /> L1:<br /> rY = -rY;<br /> goto L3<br /> L2:<br /> rY /= rX<br /> L3:<br /> <br /> smod:<br /> tmp = rX<br /> tmp += 1 /* [-1, 0] -&gt; [0, 1]<br /> if tmp &gt;(unsigned) 1 goto L1<br /> if tmp == 1 (is64 ? goto L2 : goto L3)<br /> rY = 0;<br /> goto L2<br /> L1:<br /> rY %= rX<br /> L2:<br /> goto L4 // only when !is64<br /> L3:<br /> wY = wY // only when !is64<br /> L4:<br /> <br /> [1] https://lore.kernel.org/bpf/tPJLTEh7S_DxFEqAI2Ji5MBSoZVg7_G-Py2iaZpAaWtM961fFTWtsnlzwvTbzBzaUzwQAoNATXKUlt0LZOFgnDcIyKCswAnAGdUF3LBrhGQ=@protonmail.com/

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.10.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.11 (including) 6.11.3 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools