ghsa-37rv-6wmp-jjqr
Vulnerability from github
Published
2024-10-21 12:30
Modified
2024-10-24 15:31
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fail verification for sign-extension of packet data/data_end/data_meta

syzbot reported a kernel crash due to commit 1f1e864b6555 ("bpf: Handle sign-extenstin ctx member accesses"). The reason is due to sign-extension of 32-bit load for packet data/data_end/data_meta uapi field.

The original code looks like: r2 = (s32 )(r1 + 76) / load __sk_buff->data / r3 = (u32 )(r1 + 80) / load __sk_buff->data_end / r0 = r2 r0 += 8 if r3 > r0 goto +1 ... Note that __sk_buff->data load has 32-bit sign extension.

After verification and convert_ctx_accesses(), the final asm code looks like: r2 = (u64 )(r1 +208) r2 = (s32)r2 r3 = (u64 )(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1 ... Note that 'r2 = (s32)r2' may make the kernel __sk_buff->data address invalid which may cause runtime failure.

Currently, in C code, typically we have void data = (void )(long)skb->data; void data_end = (void )(long)skb->data_end; ... and it will generate r2 = (u64 )(r1 +208) r3 = (u64 )(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1

If we allow sign-extension, void data = (void )(long)(int)skb->data; void data_end = (void )(long)skb->data_end; ... the generated code looks like r2 = (u64 )(r1 +208) r2 <<= 32 r2 s>>= 32 r3 = (u64 )(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1 and this will cause verification failure since "r2 <<= 32" is not allowed as "r2" is a packet pointer.

To fix this issue for case r2 = (s32 )(r1 + 76) / load __sk_buff->data / this patch added additional checking in is_valid_access() callback function for packet data/data_end/data_meta access. If those accesses are with sign-extenstion, the verification will fail.

[1] https://lore.kernel.org/bpf/000000000000c90eee061d236d37@google.com/

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-47702"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T12:15:06Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fail verification for sign-extension of packet data/data_end/data_meta\n\nsyzbot reported a kernel crash due to\n  commit 1f1e864b6555 (\"bpf: Handle sign-extenstin ctx member accesses\").\nThe reason is due to sign-extension of 32-bit load for\npacket data/data_end/data_meta uapi field.\n\nThe original code looks like:\n        r2 = *(s32 *)(r1 + 76) /* load __sk_buff-\u003edata */\n        r3 = *(u32 *)(r1 + 80) /* load __sk_buff-\u003edata_end */\n        r0 = r2\n        r0 += 8\n        if r3 \u003e r0 goto +1\n        ...\nNote that __sk_buff-\u003edata load has 32-bit sign extension.\n\nAfter verification and convert_ctx_accesses(), the final asm code looks like:\n        r2 = *(u64 *)(r1 +208)\n        r2 = (s32)r2\n        r3 = *(u64 *)(r1 +80)\n        r0 = r2\n        r0 += 8\n        if r3 \u003e r0 goto pc+1\n        ...\nNote that \u0027r2 = (s32)r2\u0027 may make the kernel __sk_buff-\u003edata address invalid\nwhich may cause runtime failure.\n\nCurrently, in C code, typically we have\n        void *data = (void *)(long)skb-\u003edata;\n        void *data_end = (void *)(long)skb-\u003edata_end;\n        ...\nand it will generate\n        r2 = *(u64 *)(r1 +208)\n        r3 = *(u64 *)(r1 +80)\n        r0 = r2\n        r0 += 8\n        if r3 \u003e r0 goto pc+1\n\nIf we allow sign-extension,\n        void *data = (void *)(long)(int)skb-\u003edata;\n        void *data_end = (void *)(long)skb-\u003edata_end;\n        ...\nthe generated code looks like\n        r2 = *(u64 *)(r1 +208)\n        r2 \u003c\u003c= 32\n        r2 s\u003e\u003e= 32\n        r3 = *(u64 *)(r1 +80)\n        r0 = r2\n        r0 += 8\n        if r3 \u003e r0 goto pc+1\nand this will cause verification failure since \"r2 \u003c\u003c= 32\" is not allowed\nas \"r2\" is a packet pointer.\n\nTo fix this issue for case\n  r2 = *(s32 *)(r1 + 76) /* load __sk_buff-\u003edata */\nthis patch added additional checking in is_valid_access() callback\nfunction for packet data/data_end/data_meta access. If those accesses\nare with sign-extenstion, the verification will fail.\n\n  [1] https://lore.kernel.org/bpf/000000000000c90eee061d236d37@google.com/",
  "id": "GHSA-37rv-6wmp-jjqr",
  "modified": "2024-10-24T15:31:08Z",
  "published": "2024-10-21T12:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47702"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/92de36080c93296ef9005690705cba260b9bd68a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f09757fe97a225ae505886eac572e4cbfba96537"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f1620c93a1ec950d87ef327a565d3907736d3340"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.