CVE-2024-26589

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-26589
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26589.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-26589
Downstream
Related
Published
2024-02-22T16:13:33.713Z
Modified
2026-03-14T12:29:50.236710Z
Summary
bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Reject variable offset alu on PTRTOFLOW_KEYS

For PTRTOFLOWKEYS, checkflowkeysaccess() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked.

The following prog is accepted:

func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6w=ctx() R7w=flowkeys() 2: (b7) r8 = 1024 ; R8w=1024 3: (37) r8 /= 1 ; R8w=scalar() 4: (57) r8 &= 1024 ; R8w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,varoff=(0x0; 0x400)) 5: (0f) r7 += r8 markprecise: frame0: lastidx 5 firstidx 0 subseqidx -1 markprecise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 markprecise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 markprecise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7w=flowkeys(smin=smin32=0,smax=umax=smax32=umax32=1024,varoff =(0x0; 0x400)) R8w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, varoff=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit

This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access:

BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: <TASK> bpfdispatchernop_func include/linux/bpf.h:1231 [inline] __bpfprogrun include/linux/filter.h:651 [inline] bpfprogrun include/linux/filter.h:658 [inline] bpfprogrunpinoncpu include/linux/filter.h:675 [inline] bpfflowdissect+0x15f/0x350 net/core/flowdissector.c:991 bpfprogtestrunflowdissector+0x39d/0x620 net/bpf/testrun.c:1359 bpfprogtest_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __dosysbpf kernel/bpf/syscall.c:5561 [inline] __sesysbpf kernel/bpf/syscall.c:5559 [inline] __x64sysbpf+0x73/0xb0 kernel/bpf/syscall.c:5559 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0x3f/0x110 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x63/0x6b

Fix this by rejecting ptr alu with variable offset on flowkeys. Applying the patch rejects the program with "R7 pointer arithmetic on flowkeys prohibited".

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26589.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9
Fixed
29ffa63f21bcdcef3e36b03cccf9d0cd031f6ab0
Fixed
4108b86e324da42f7ed425bd71632fd844300dc8
Fixed
e8d3872b617c21100c5ee4f64e513997a68c2e3d
Fixed
1b500d5d6cecf98dd6ca88bc9e7ae1783c83e6d3
Fixed
22c7fa171a02d310e3a3f6ed46a698ca8a0060ed

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26589.json"