Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-26589

Severity CVSS v4.0:
Pending analysis
Type:
CWE-119 Buffer Errors
Publication date:
22/02/2024
Last modified:
18/03/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS<br /> <br /> For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off<br /> for validation. However, variable offset ptr alu is not prohibited<br /> for this ptr kind. So the variable offset is not checked.<br /> <br /> The following prog is accepted:<br /> <br /> func#0 @0<br /> 0: R1=ctx() R10=fp0<br /> 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx()<br /> 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys()<br /> 2: (b7) r8 = 1024 ; R8_w=1024<br /> 3: (37) r8 /= 1 ; R8_w=scalar()<br /> 4: (57) r8 &amp;= 1024 ; R8_w=scalar(smin=smin32=0,<br /> smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400))<br /> 5: (0f) r7 += r8<br /> mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1<br /> mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &amp;= 1024<br /> mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1<br /> mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024<br /> 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off<br /> =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024,<br /> var_off=(0x0; 0x400))<br /> 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar()<br /> 7: (95) exit<br /> <br /> This prog loads flow_keys to r7, and adds the variable offset r8<br /> to r7, and finally causes out-of-bounds access:<br /> <br /> BUG: unable to handle page fault for address: ffffc90014c80038<br /> [...]<br /> Call Trace:<br /> <br /> bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]<br /> __bpf_prog_run include/linux/filter.h:651 [inline]<br /> bpf_prog_run include/linux/filter.h:658 [inline]<br /> bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]<br /> bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991<br /> bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359<br /> bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]<br /> __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475<br /> __do_sys_bpf kernel/bpf/syscall.c:5561 [inline]<br /> __se_sys_bpf kernel/bpf/syscall.c:5559 [inline]<br /> __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> <br /> Fix this by rejecting ptr alu with variable offset on flow_keys.<br /> Applying the patch rejects the program with "R7 pointer arithmetic<br /> on flow_keys prohibited".

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.15.148 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16.0 (including) 6.1.75 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2.0 (including) 6.6.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7.0 (including) 6.7.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools