| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024110955-CVE-2024-50262-9cd7@gregkh> Date: Sat, 9 Nov 2024 11:17:56 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-50262: bpf: Fix out-of-bounds write in trie_get_next_key() Description =========== In the Linux kernel, the following vulnerability has been resolved: bpf: Fix out-of-bounds write in trie_get_next_key() trie_get_next_key() allocates a node stack with size trie->max_prefixlen, while it writes (trie->max_prefixlen + 1) nodes to the stack when it has full paths from the root to leaves. For example, consider a trie with max_prefixlen is 8, and the nodes with key 0x00/0, 0x00/1, 0x00/2, ... 0x00/8 inserted. Subsequent calls to trie_get_next_key with _key with .prefixlen = 8 make 9 nodes be written on the node stack with size 8. The Linux kernel CVE team has assigned CVE-2024-50262 to this issue. Affected and fixed versions =========================== Issue introduced in 4.16 with commit b471f2f1de8b and fixed in 4.19.323 with commit e8494ac07981 Issue introduced in 4.16 with commit b471f2f1de8b and fixed in 5.4.285 with commit 91afbc0eb3c9 Issue introduced in 4.16 with commit b471f2f1de8b and fixed in 5.10.229 with commit 590976f92172 Issue introduced in 4.16 with commit b471f2f1de8b and fixed in 5.15.171 with commit 86c8ebe02d88 Issue introduced in 4.16 with commit b471f2f1de8b and fixed in 6.1.116 with commit a035df0b98df Issue introduced in 4.16 with commit b471f2f1de8b and fixed in 6.6.60 with commit 90a6e0e1e151 Issue introduced in 4.16 with commit b471f2f1de8b and fixed in 6.11.7 with commit c4b4f9a9ab82 Issue introduced in 4.16 with commit b471f2f1de8b and fixed in 6.12-rc6 with commit 13400ac8fb80 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-50262 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: kernel/bpf/lpm_trie.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/e8494ac079814a53fbc2258d2743e720907488ed https://git.kernel.org/stable/c/91afbc0eb3c90258ae378ae3c6ead3d2371e926d https://git.kernel.org/stable/c/590976f921723d53ac199c01d5b7b73a94875e68 https://git.kernel.org/stable/c/86c8ebe02d8806dd8878d0063e8e185622ab6ea6 https://git.kernel.org/stable/c/a035df0b98df424559fd383e8e1a268f422ea2ba https://git.kernel.org/stable/c/90a6e0e1e151ef7a9282e78f54c3091de2dcc99c https://git.kernel.org/stable/c/c4b4f9a9ab82238cb158fa4fe61a8c0ae21a4980 https://git.kernel.org/stable/c/13400ac8fb80c57c2bfb12ebd35ee121ce9b4d21
Powered by blists - more mailing lists