CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
5.1%
In the Linux kernel, the following vulnerability has been resolved: bpf:
Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS,
check_flow_keys_access() only uses fixed off for validation. However,
variable offset ptr alu is not prohibited for this ptr kind. So the
variable offset is not checked. The following prog is accepted: func#0 @0
0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 =
*(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ;
R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ;
R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0;
0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0
subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &=
1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1
mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6:
R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0;
0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024,
var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95)
exit This prog loads flow_keys to r7, and adds the variable offset r8 to
r7, and finally causes out-of-bounds access: BUG: unable to handle page
fault for address: ffffc90014c80038 […] Call Trace: <TASK>
bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run
include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658
[inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]
bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991
bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359
bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560
kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0
kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52
[inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with
variable offset on flow_keys. Applying the patch rejects the program with
“R7 pointer arithmetic on flow_keys prohibited”.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < 5.4.0-177.197 | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < 5.15.0-102.112 | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < 6.5.0-28.29 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < 5.4.0-1123.133 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1057.63 | UNKNOWN |
ubuntu | 23.10 | noarch | linux-aws | < 6.5.0-1018.18 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < 5.15.0-1057.63~20.04.1 | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws-5.4 | < 5.4.0-1123.133~18.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < 6.5.0-1018.18~22.04.1 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < 5.4.0-1128.135 | UNKNOWN |
git.kernel.org/stable/c/1b500d5d6cecf98dd6ca88bc9e7ae1783c83e6d3
git.kernel.org/stable/c/22c7fa171a02d310e3a3f6ed46a698ca8a0060ed
git.kernel.org/stable/c/29ffa63f21bcdcef3e36b03cccf9d0cd031f6ab0
git.kernel.org/stable/c/4108b86e324da42f7ed425bd71632fd844300dc8
git.kernel.org/stable/c/e8d3872b617c21100c5ee4f64e513997a68c2e3d
launchpad.net/bugs/cve/CVE-2024-26589
nvd.nist.gov/vuln/detail/CVE-2024-26589
security-tracker.debian.org/tracker/CVE-2024-26589
ubuntu.com/security/notices/USN-6688-1
ubuntu.com/security/notices/USN-6725-1
ubuntu.com/security/notices/USN-6725-2
ubuntu.com/security/notices/USN-6741-1
ubuntu.com/security/notices/USN-6743-1
ubuntu.com/security/notices/USN-6743-2
ubuntu.com/security/notices/USN-6743-3
www.cve.org/CVERecord?id=CVE-2024-26589