github - ghsa-37rv-6wmp-jjqr

ghsa-37rv-6wmp-jjqr

Vulnerability from github

Published

2024-10-21 12:30

Modified

2024-10-24 15:31

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fail verification for sign-extension of packet data/data_end/data_meta

syzbot reported a kernel crash due to commit 1f1e864b6555 ("bpf: Handle sign-extenstin ctx member accesses"). The reason is due to sign-extension of 32-bit load for packet data/data_end/data_meta uapi field.

The original code looks like: r2 = (s32 )(r1 + 76) / load __sk_buff->data / r3 = (u32 )(r1 + 80) / load __sk_buff->data_end / r0 = r2 r0 += 8 if r3 > r0 goto +1 ... Note that __sk_buff->data load has 32-bit sign extension.

After verification and convert_ctx_accesses(), the final asm code looks like: r2 = (u64 )(r1 +208) r2 = (s32)r2 r3 = (u64 )(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1 ... Note that 'r2 = (s32)r2' may make the kernel __sk_buff->data address invalid which may cause runtime failure.

Currently, in C code, typically we have void data = (void )(long)skb->data; void data_end = (void )(long)skb->data_end; ... and it will generate r2 = (u64 )(r1 +208) r3 = (u64 )(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1

If we allow sign-extension, void data = (void )(long)(int)skb->data; void data_end = (void )(long)skb->data_end; ... the generated code looks like r2 = (u64 )(r1 +208) r2 <<= 32 r2 s>>= 32 r3 = (u64 )(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1 and this will cause verification failure since "r2 <<= 32" is not allowed as "r2" is a packet pointer.

To fix this issue for case r2 = (s32 )(r1 + 76) / load __sk_buff->data / this patch added additional checking in is_valid_access() callback function for packet data/data_end/data_meta access. If those accesses are with sign-extenstion, the verification will fail.

[1] https://lore.kernel.org/bpf/000000000000c90eee061d236d37@google.com/

Show details on source website

JSON

To clipboard

{
   affected: [],
   aliases: [
      "CVE-2024-47702",
   ],
   database_specific: {
      cwe_ids: [],
      github_reviewed: false,
      github_reviewed_at: null,
      nvd_published_at: "2024-10-21T12:15:06Z",
      severity: "MODERATE",
   },
   details: "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fail verification for sign-extension of packet data/data_end/data_meta\n\nsyzbot reported a kernel crash due to\n  commit 1f1e864b6555 (\"bpf: Handle sign-extenstin ctx member accesses\").\nThe reason is due to sign-extension of 32-bit load for\npacket data/data_end/data_meta uapi field.\n\nThe original code looks like:\n        r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */\n        r3 = *(u32 *)(r1 + 80) /* load __sk_buff->data_end */\n        r0 = r2\n        r0 += 8\n        if r3 > r0 goto +1\n        ...\nNote that __sk_buff->data load has 32-bit sign extension.\n\nAfter verification and convert_ctx_accesses(), the final asm code looks like:\n        r2 = *(u64 *)(r1 +208)\n        r2 = (s32)r2\n        r3 = *(u64 *)(r1 +80)\n        r0 = r2\n        r0 += 8\n        if r3 > r0 goto pc+1\n        ...\nNote that 'r2 = (s32)r2' may make the kernel __sk_buff->data address invalid\nwhich may cause runtime failure.\n\nCurrently, in C code, typically we have\n        void *data = (void *)(long)skb->data;\n        void *data_end = (void *)(long)skb->data_end;\n        ...\nand it will generate\n        r2 = *(u64 *)(r1 +208)\n        r3 = *(u64 *)(r1 +80)\n        r0 = r2\n        r0 += 8\n        if r3 > r0 goto pc+1\n\nIf we allow sign-extension,\n        void *data = (void *)(long)(int)skb->data;\n        void *data_end = (void *)(long)skb->data_end;\n        ...\nthe generated code looks like\n        r2 = *(u64 *)(r1 +208)\n        r2 <<= 32\n        r2 s>>= 32\n        r3 = *(u64 *)(r1 +80)\n        r0 = r2\n        r0 += 8\n        if r3 > r0 goto pc+1\nand this will cause verification failure since \"r2 <<= 32\" is not allowed\nas \"r2\" is a packet pointer.\n\nTo fix this issue for case\n  r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */\nthis patch added additional checking in is_valid_access() callback\nfunction for packet data/data_end/data_meta access. If those accesses\nare with sign-extenstion, the verification will fail.\n\n  [1] https://lore.kernel.org/bpf/000000000000c90eee061d236d37@google.com/",
   id: "GHSA-37rv-6wmp-jjqr",
   modified: "2024-10-24T15:31:08Z",
   published: "2024-10-21T12:30:55Z",
   references: [
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47702",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/92de36080c93296ef9005690705cba260b9bd68a",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/f09757fe97a225ae505886eac572e4cbfba96537",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/f1620c93a1ec950d87ef327a565d3907736d3340",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
         type: "CVSS_V3",
      },
   ],
}

cve-2024-47702

Vulnerability from cvelistv5

Published

2024-10-21 11:53

Modified

2024-12-19 09:26

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Fail verification for sign-extension of packet data/data_end/data_meta syzbot reported a kernel crash due to commit 1f1e864b6555 ("bpf: Handle sign-extenstin ctx member accesses"). The reason is due to sign-extension of 32-bit load for packet data/data_end/data_meta uapi field. The original code looks like: r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */ r3 = *(u32 *)(r1 + 80) /* load __sk_buff->data_end */ r0 = r2 r0 += 8 if r3 > r0 goto +1 ... Note that __sk_buff->data load has 32-bit sign extension. After verification and convert_ctx_accesses(), the final asm code looks like: r2 = *(u64 *)(r1 +208) r2 = (s32)r2 r3 = *(u64 *)(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1 ... Note that 'r2 = (s32)r2' may make the kernel __sk_buff->data address invalid which may cause runtime failure. Currently, in C code, typically we have void *data = (void *)(long)skb->data; void *data_end = (void *)(long)skb->data_end; ... and it will generate r2 = *(u64 *)(r1 +208) r3 = *(u64 *)(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1 If we allow sign-extension, void *data = (void *)(long)(int)skb->data; void *data_end = (void *)(long)skb->data_end; ... the generated code looks like r2 = *(u64 *)(r1 +208) r2 <<= 32 r2 s>>= 32 r3 = *(u64 *)(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1 and this will cause verification failure since "r2 <<= 32" is not allowed as "r2" is a packet pointer. To fix this issue for case r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */ this patch added additional checking in is_valid_access() callback function for packet data/data_end/data_meta access. If those accesses are with sign-extenstion, the verification will fail. [1] https://lore.kernel.org/bpf/000000000000c90eee061d236d37@google.com/

References

▼	URL	Tags
	https://git.kernel.org/stable/c/f1620c93a1ec950d87ef327a565d3907736d3340
	https://git.kernel.org/stable/c/f09757fe97a225ae505886eac572e4cbfba96537
	https://git.kernel.org/stable/c/92de36080c93296ef9005690705cba260b9bd68a

Impacted products

Vendor

Product

Version

▼

Linux

Version: 1f1e864b65554e33fe74e3377e58b12f4302f2eb
Version: 1f1e864b65554e33fe74e3377e58b12f4302f2eb
Version: 1f1e864b65554e33fe74e3377e58b12f4302f2eb

Linux

Version: 6.6

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-47702",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-10-21T13:04:24.861686Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-10-21T13:14:13.443Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Linux",
               programFiles: [
                  "include/linux/bpf.h",
                  "kernel/bpf/verifier.c",
                  "net/core/filter.c",
               ],
               repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
               vendor: "Linux",
               versions: [
                  {
                     lessThan: "f1620c93a1ec950d87ef327a565d3907736d3340",
                     status: "affected",
                     version: "1f1e864b65554e33fe74e3377e58b12f4302f2eb",
                     versionType: "git",
                  },
                  {
                     lessThan: "f09757fe97a225ae505886eac572e4cbfba96537",
                     status: "affected",
                     version: "1f1e864b65554e33fe74e3377e58b12f4302f2eb",
                     versionType: "git",
                  },
                  {
                     lessThan: "92de36080c93296ef9005690705cba260b9bd68a",
                     status: "affected",
                     version: "1f1e864b65554e33fe74e3377e58b12f4302f2eb",
                     versionType: "git",
                  },
               ],
            },
            {
               defaultStatus: "affected",
               product: "Linux",
               programFiles: [
                  "include/linux/bpf.h",
                  "kernel/bpf/verifier.c",
                  "net/core/filter.c",
               ],
               repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
               vendor: "Linux",
               versions: [
                  {
                     status: "affected",
                     version: "6.6",
                  },
                  {
                     lessThan: "6.6",
                     status: "unaffected",
                     version: "0",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "6.10.*",
                     status: "unaffected",
                     version: "6.10.13",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "6.11.*",
                     status: "unaffected",
                     version: "6.11.2",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "*",
                     status: "unaffected",
                     version: "6.12",
                     versionType: "original_commit_for_fix",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fail verification for sign-extension of packet data/data_end/data_meta\n\nsyzbot reported a kernel crash due to\n  commit 1f1e864b6555 (\"bpf: Handle sign-extenstin ctx member accesses\").\nThe reason is due to sign-extension of 32-bit load for\npacket data/data_end/data_meta uapi field.\n\nThe original code looks like:\n        r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */\n        r3 = *(u32 *)(r1 + 80) /* load __sk_buff->data_end */\n        r0 = r2\n        r0 += 8\n        if r3 > r0 goto +1\n        ...\nNote that __sk_buff->data load has 32-bit sign extension.\n\nAfter verification and convert_ctx_accesses(), the final asm code looks like:\n        r2 = *(u64 *)(r1 +208)\n        r2 = (s32)r2\n        r3 = *(u64 *)(r1 +80)\n        r0 = r2\n        r0 += 8\n        if r3 > r0 goto pc+1\n        ...\nNote that 'r2 = (s32)r2' may make the kernel __sk_buff->data address invalid\nwhich may cause runtime failure.\n\nCurrently, in C code, typically we have\n        void *data = (void *)(long)skb->data;\n        void *data_end = (void *)(long)skb->data_end;\n        ...\nand it will generate\n        r2 = *(u64 *)(r1 +208)\n        r3 = *(u64 *)(r1 +80)\n        r0 = r2\n        r0 += 8\n        if r3 > r0 goto pc+1\n\nIf we allow sign-extension,\n        void *data = (void *)(long)(int)skb->data;\n        void *data_end = (void *)(long)skb->data_end;\n        ...\nthe generated code looks like\n        r2 = *(u64 *)(r1 +208)\n        r2 <<= 32\n        r2 s>>= 32\n        r3 = *(u64 *)(r1 +80)\n        r0 = r2\n        r0 += 8\n        if r3 > r0 goto pc+1\nand this will cause verification failure since \"r2 <<= 32\" is not allowed\nas \"r2\" is a packet pointer.\n\nTo fix this issue for case\n  r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */\nthis patch added additional checking in is_valid_access() callback\nfunction for packet data/data_end/data_meta access. If those accesses\nare with sign-extenstion, the verification will fail.\n\n  [1] https://lore.kernel.org/bpf/000000000000c90eee061d236d37@google.com/",
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-12-19T09:26:24.243Z",
            orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            shortName: "Linux",
         },
         references: [
            {
               url: "https://git.kernel.org/stable/c/f1620c93a1ec950d87ef327a565d3907736d3340",
            },
            {
               url: "https://git.kernel.org/stable/c/f09757fe97a225ae505886eac572e4cbfba96537",
            },
            {
               url: "https://git.kernel.org/stable/c/92de36080c93296ef9005690705cba260b9bd68a",
            },
         ],
         title: "bpf: Fail verification for sign-extension of packet data/data_end/data_meta",
         x_generator: {
            engine: "bippy-5f407fcff5a0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      assignerShortName: "Linux",
      cveId: "CVE-2024-47702",
      datePublished: "2024-10-21T11:53:37.958Z",
      dateReserved: "2024-09-30T16:00:12.945Z",
      dateUpdated: "2024-12-19T09:26:24.243Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted