| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <o7mtz7q3537vuw3gcqjxjdrsg4p6k7dvldu7dabonx2wrcyomn@ks5pl5soifjv>
Date: Tue, 12 Nov 2024 16:14:32 +0800
From: Shung-Hsi Yu <shung-hsi.yu@...e.com>
To: Tao Lyu <tao.lyu@...l.ch>
Cc: Eduard Zingerman <eddyz87@...il.com>,
Andrii Nakryiko <andrii@...nel.org>, cve@...nel.org, Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-kernel@...r.kernel.org
Subject: Re: CVE-2023-52920: bpf: support non-r10 register spill/fill to/from
stack in precision tracking
On Fri, Nov 08, 2024 at 07:59:22AM GMT, Tao Lyu wrote:
...
> >> I'm trying to determine the security implication of CVE-2023-52920, or
> >> more specifically, what does commit 41f6f64e6999 ("bpf: support non-r10
> >> register spill/fill to/from stack in precision tracking") fix.
> >> Superficially this looks more like an improvement to the verifier.
> >
> > It is my understanding as well, that this commit is an optimization to
> > avoid some precision marks. I do not see any security implications.
...
> Hi Andrii, Eduard, and Shung-Hsi,
>
> The previous discussion is here: https://lore.kernel.org/bpf/20231020155842.130257-1-tao.lyu@epfl.ch/
>
> In short, without this patch, the verifier will miss checking an execution path that can have out-of-bound access,
> which eventually leads to privilege escalation, like obtaining the root privilege.
Thank you both for looking into this, and Tao's pointer to previous
discussion. I'll try to have this backported to at least stable 6.6.y.
Best,
Shung-Hsi
Powered by blists - more mailing lists