CVE-2021-47608

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47608
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47608.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47608
Related
Published
2024-06-19T15:15:55Z
Modified
2024-10-31T14:16:04Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix kernel address leakage in atomic fetch

The change in commit 37086bfdc737 ("bpf: Propagate stack bounds to registers in atomics w/ BPFFETCH") around checkmem_access() handling is buggy since this would allow for unprivileged users to leak kernel pointers. For example, an atomic fetch/and with -1 on a stack destination which holds a spilled pointer will migrate the spilled register type into a scalar, which can then be exported out of the program (since scalar != pointer) by dumping it into a map value.

The original implementation of XADD was preventing this situation by using a double call to checkmemaccess() one with BPFREAD and a subsequent one with BPFWRITE, in both cases passing -1 as a placeholder value instead of register as per XADD semantics since it didn't contain a value fetch. The BPFREAD also included a check in checkstackreadfixedoff() which rejects the program if the stack slot is of _ispointervalue() if dstregno < 0. The latter is to distinguish whether we're dealing with a regular stack spill/ fill or some arithmetical operation which is disallowed on non-scalars, see also 6e7e63cbb023 ("bpf: Forbid XADD on spilled pointers for unprivileged users") for more context on checkmem_access() and its handling of placeholder value -1.

One minimally intrusive option to fix the leak is for the BPFFETCH case to initially check the BPFREAD case via checkmemaccess() with -1 as register, followed by the actual load case with non-negative load_reg to propagate stack bounds to registers.

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}