CVE-2024-43910

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-43910
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-43910.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-43910
Related
Published
2024-08-26T11:15:05Z
Modified
2024-09-18T03:26:36.823974Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: add missing checkfuncargregoff() to prevent out-of-bounds memory accesses

Currently, it's possible to pass in a modified CONSTPTRTODYNPTR to a global function as an argument. The adverse effects of this is that BPF helpers can continue to make use of this modified CONSTPTRTODYNPTR from within the context of the global function, which can unintentionally result in out-of-bounds memory accesses and therefore compromise overall system stability i.e.

[ 244.157771] BUG: KASAN: slab-out-of-bounds in bpfdynptrdata+0x137/0x140 [ 244.161345] Read of size 8 at addr ffff88810914be68 by task testprogs/302 [ 244.167151] CPU: 0 PID: 302 Comm: testprogs Tainted: G O E 6.10.0-rc3-00131-g66b586715063 #533 [ 244.174318] Call Trace: [ 244.175787] <TASK> [ 244.177356] dumpstacklvl+0x66/0xa0 [ 244.179531] printreport+0xce/0x670 [ 244.182314] ? _virtaddrvalid+0x200/0x3e0 [ 244.184908] kasanreport+0xd7/0x110 [ 244.187408] ? bpfdynptrdata+0x137/0x140 [ 244.189714] ? bpfdynptrdata+0x137/0x140 [ 244.192020] bpfdynptrdata+0x137/0x140 [ 244.194264] bpfprogb02a02fdd2bdc5faglobalcallbpfdynptrdata+0x22/0x26 [ 244.198044] bpfprogb0fe7b9d7dc3abdecallbackadjustbpfdynptrregoff+0x1f/0x23 [ 244.202136] bpfuserringbufdrain+0x2c7/0x570 [ 244.204744] ? 0xffffffffc0009e58 [ 244.206593] ? _pfxbpfuserringbufdrain+0x10/0x10 [ 244.209795] bpfprog33ab33f6a804ba2duserringbufcallbackconstptrtodynptrregoff+0x47/0x4b [ 244.215922] bpftrampoline6442502480+0x43/0xe3 [ 244.218691] _x64sysprlimit64+0x9/0xf0 [ 244.220912] dosyscall64+0xc1/0x1d0 [ 244.223043] entrySYSCALL64afterhwframe+0x77/0x7f [ 244.226458] RIP: 0033:0x7ffa3eb8f059 [ 244.228582] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 1d 0d 00 f7 d8 64 89 01 48 [ 244.241307] RSP: 002b:00007ffa3e9c6eb8 EFLAGS: 00000206 ORIG_RAX: 000000000000012e [ 244.246474] RAX: ffffffffffffffda RBX: 00007ffa3e9c7cdc RCX: 00007ffa3eb8f059 [ 244.250478] RDX: 00007ffa3eb162b4 RSI: 0000000000000000 RDI: 00007ffa3e9c7fb0 [ 244.255396] RBP: 00007ffa3e9c6ed0 R08: 00007ffa3e9c76c0 R09: 0000000000000000 [ 244.260195] R10: 0000000000000000 R11: 0000000000000206 R12: ffffffffffffff80 [ 244.264201] R13: 000000000000001c R14: 00007ffc5d6b4260 R15: 00007ffa3e1c7000 [ 244.268303] </TASK>

Add a checkfuncargregoff() to the path in which the BPF verifier verifies the arguments of global function arguments, specifically those which take an argument of type ARGPTRTODYNPTR | MEMRDONLY. Also, processdynptrfunc() doesn't appear to perform any explicit and strict type matching on the supplied register type, so let's also enforce that a register either type PTRTOSTACK or CONSTPTRTO_DYNPTR is by the caller.

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.10.6-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1
6.7.12-1
6.8.9-1
6.8.11-1
6.8.12-1~bpo12+1
6.8.12-1
6.9.2-1~exp1
6.9.7-1~bpo12+1
6.9.7-1
6.9.8-1
6.9.9-1
6.9.10-1~bpo12+1
6.9.10-1
6.9.11-1
6.9.12-1
6.10-1~exp1
6.10.1-1~exp1
6.10.3-1
6.10.4-1
6.10.6-1~bpo12+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}