CVE-2024-49888

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix a sdiv overflow issue

Zac Ecob reported a problem where a bpf program may cause kernel crash due to the following error: Oops: divide error: 0000 [#1] PREEMPT SMP KASAN PTI

The failure is due to the below signed divide: LLONGMIN/-1 where LLONGMIN equals to -9,223,372,036,854,775,808. LLONGMIN/-1 is supposed to give a positive number 9,223,372,036,854,775,808, but it is impossible since for 64-bit system, the maximum positive number is 9,223,372,036,854,775,807. On x8664, LLONGMIN/-1 will cause a kernel exception. On arm64, the result for LLONGMIN/-1 is LLONG_MIN.

Further investigation found all the following sdiv/smod cases may trigger an exception when bpf program is running on x8664 platform: - LLONGMIN/-1 for 64bit operation - INTMIN/-1 for 32bit operation - LLONGMIN%-1 for 64bit operation - INT_MIN%-1 for 32bit operation where -1 can be an immediate or in a register.

On arm64, there are no exceptions: - LLONGMIN/-1 = LLONGMIN - INTMIN/-1 = INTMIN - LLONGMIN%-1 = 0 - INTMIN%-1 = 0 where -1 can be an immediate or in a register.

Insn patching is needed to handle the above cases and the patched codes produced results aligned with above arm64 result. The below are pseudo codes to handle sdiv/smod exceptions including both divisor -1 and divisor 0 and the divisor is stored in a register.

sdiv: tmp = rX tmp += 1 /* [-1, 0] -> [0, 1] if tmp >(unsigned) 1 goto L2 if tmp == 0 goto L1 rY = 0 L1: rY = -rY; goto L3 L2: rY /= rX L3:

smod: tmp = rX tmp += 1 /* [-1, 0] -> [0, 1] if tmp >(unsigned) 1 goto L1 if tmp == 1 (is64 ? goto L2 : goto L3) rY = 0; goto L2 L1: rY %= rX L2: goto L4 // only when !is64 L3: wY = wY // only when !is64 L4:

[1] https://lore.kernel.org/bpf/tPJLTEh7SDxFEqAI2Ji5MBSoZVg7G-Py2iaZpAaWtM961fFTWtsnlzwvTbzBzaUzwQAoNATXKUlt0LZOFgnDcIyKCswAnAGdUF3LBrhGQ=@protonmail.com/