| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7p643u2dcn6cen32dbtrcki62qrn3o2hyiplbx2hkpcojuiev5@3hbnkswhtha3>
Date: Fri, 24 May 2024 11:58:54 +0800
From: Shung-Hsi Yu <shung-hsi.yu@...e.com>
To: cve@...nel.org, Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: linux-kernel@...r.kernel.org, Michal Hocko <mhocko@...e.com>
Subject: Re: CVE-2023-52793: samples/bpf: syscall_tp_user: Fix array
out-of-bound access
On Tue, 21 May 2024 17:31:29 +0200, Greg Kroah-Hartman wrote:
> Description
> ===========
>
> In the Linux kernel, the following vulnerability has been resolved:
>
> samples/bpf: syscall_tp_user: Fix array out-of-bound access
>
> Commit 06744f24696e ("samples/bpf: Add openat2() enter/exit tracepoint
> to syscall_tp sample") added two more eBPF programs to support the
> openat2() syscall. However, it did not increase the size of the array
> that holds the corresponding bpf_links. This leads to an out-of-bound
> access on that array in the bpf_object__for_each_program loop and could
> corrupt other variables on the stack. On our testing QEMU, it corrupts
> the map1_fds array and causes the sample to fail:
>
> # ./syscall_tp
> prog #0: map ids 4 5
> verify map:4 val: 5
> map_lookup failed: Bad file descriptor
>
> Dynamically allocate the array based on the number of programs reported
> by libbpf to prevent similar inconsistencies in the future
>
> The Linux kernel CVE team has assigned CVE-2023-52793 to this issue.
I would like to dispute this CVE.
Files in samples/bpf are meant to serve as an example and not code that
are directly used at run-time, hence I believe this bug does not have
security implication.
--
Shung-Hsi Yu
> ...
Powered by blists - more mailing lists