lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024102151-CVE-2024-49850-4cc6@gregkh> Date: Mon, 21 Oct 2024 14:18:52 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-49850: bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos Description =========== In the Linux kernel, the following vulnerability has been resolved: bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos In case of malformed relocation record of kind BPF_CORE_TYPE_ID_LOCAL referencing a non-existing BTF type, function bpf_core_calc_relo_insn would cause a null pointer deference. Fix this by adding a proper check upper in call stack, as malformed relocation records could be passed from user space. Simplest reproducer is a program: r0 = 0 exit With a single relocation record: .insn_off = 0, /* patch first instruction */ .type_id = 100500, /* this type id does not exist */ .access_str_off = 6, /* offset of string "0" */ .kind = BPF_CORE_TYPE_ID_LOCAL, See the link for original reproducer or next commit for a test case. The Linux kernel CVE team has assigned CVE-2024-49850 to this issue. Affected and fixed versions =========================== Issue introduced in 5.17 with commit 74753e1462e7 and fixed in 6.1.113 with commit dc7ce14f00bc Issue introduced in 5.17 with commit 74753e1462e7 and fixed in 6.6.54 with commit 2288b54b96dc Issue introduced in 5.17 with commit 74753e1462e7 and fixed in 6.10.13 with commit 584cd3ff792e Issue introduced in 5.17 with commit 74753e1462e7 and fixed in 6.11.2 with commit e7e9c5b2dda2 Issue introduced in 5.17 with commit 74753e1462e7 and fixed in 6.12-rc1 with commit 3d2786d65aaa Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-49850 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: kernel/bpf/btf.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/dc7ce14f00bcd50641f2110b7a32aa6552e0780f https://git.kernel.org/stable/c/2288b54b96dcb55bedebcef3572bb8821fc5e708 https://git.kernel.org/stable/c/584cd3ff792e1edbea20b2a7df55897159b0be3e https://git.kernel.org/stable/c/e7e9c5b2dda29067332df2a85b0141a92b41f218 https://git.kernel.org/stable/c/3d2786d65aaa954ebd3fcc033ada433e10da21c4
Powered by blists - more mailing lists