lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 27 Mar 2024 15:37:02 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Shung-Hsi Yu <shung-hsi.yu@...e.com>
Cc: linux-cve-announce@...r.kernel.org, cve@...nel.org,
	linux-kernel@...r.kernel.org
Subject: Re: CVE-2023-52462: bpf: fix check for attempt to corrupt spilled
 pointer

On Tue, Mar 05, 2024 at 11:41:52PM +0800, Shung-Hsi Yu wrote:
> On Fri, Feb 23, 2024 at 03:47:35PM +0100, Greg Kroah-Hartman wrote:
> > Description
> > ===========
> > 
> > In the Linux kernel, the following vulnerability has been resolved:
> > 
> > bpf: fix check for attempt to corrupt spilled pointer
> > 
> > When register is spilled onto a stack as a 1/2/4-byte register, we set
> > slot_type[BPF_REG_SIZE - 1] (plus potentially few more below it,
> > depending on actual spill size). So to check if some stack slot has
> > spilled register we need to consult slot_type[7], not slot_type[0].
> > 
> > To avoid the need to remember and double-check this in the future, just
> > use is_spilled_reg() helper.
> > 
> > The Linux kernel CVE team has assigned CVE-2023-52462 to this issue.
> > 
> > 
> > Affected and fixed versions
> > ===========================
> > 
> > 	Issue introduced in 5.10.163 with commit cdd73a5ed084 and fixed in 5.10.209 with commit 2757f17972d8
> > 	Issue introduced in 5.15.86 with commit 07c286c10a9c and fixed in 5.15.148 with commit 67e6707f0735
> > 	Issue introduced in 5.16 with commit 27113c59b6d0 and fixed in 6.1.75 with commit fc3e3c50a0a4
> > 	Issue introduced in 5.16 with commit 27113c59b6d0 and fixed in 6.6.14 with commit 8dc15b067059
> > 	Issue introduced in 5.16 with commit 27113c59b6d0 and fixed in 6.7.2 with commit 40617d45ea05
> > 	Issue introduced in 5.16 with commit 27113c59b6d0 and fixed in 6.8-rc1 with commit ab125ed3ec1c
> 
> While commit 27113c59b6d0 ("bpf: Check the other end of slot_type for
> STACK_SPILL") is referenced in the Fixes tag, and made the switch to use
> slot_type[7] instead of slot_type[0]. This shouldn't cause any issue
> because its commit message stated that
> 
>   ... Verifier currently only saves the reg state if the whole 8 bytes
>   are spilled to the stack, so checking the slot_type[7] is the same as
>   checking slot_type[0].
> 
> It is the next commit in the series, commit 354e8f1970f8 ("bpf: Support
> <8-byte scalar spill and refill"), that rendered checking slot_type[0]
> problematic.
> 
> So I believe the issue is introduced with commit 354e8f1970f8 rather
> than 27113c59b6d0. That said kernel releases seems to either contain
> both or none of them at all, so in pratice the difference probably
> doesn't matter too much.

Thanks for the information!

greg k-h

> 
> > [snip]
> 

Powered by blists - more mailing lists