| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fail verification for sign-extension of packet data/data_end/data_meta\n\nsyzbot reported a kernel crash due to\n commit 1f1e864b6555 (\"bpf: Handle sign-extenstin ctx member accesses\").\nThe reason is due to sign-extension of 32-bit load for\npacket data/data_end/data_meta uapi field.\n\nThe original code looks like:\n r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */\n r3 = *(u32 *)(r1 + 80) /* load __sk_buff->data_end */\n r0 = r2\n r0 += 8\n if r3 > r0 goto +1\n ...\nNote that __sk_buff->data load has 32-bit sign extension.\n\nAfter verification and convert_ctx_accesses(), the final asm code looks like:\n r2 = *(u64 *)(r1 +208)\n r2 = (s32)r2\n r3 = *(u64 *)(r1 +80)\n r0 = r2\n r0 += 8\n if r3 > r0 goto pc+1\n ...\nNote that 'r2 = (s32)r2' may make the kernel __sk_buff->data address invalid\nwhich may cause runtime failure.\n\nCurrently, in C code, typically we have\n void *data = (void *)(long)skb->data;\n void *data_end = (void *)(long)skb->data_end;\n ...\nand it will generate\n r2 = *(u64 *)(r1 +208)\n r3 = *(u64 *)(r1 +80)\n r0 = r2\n r0 += 8\n if r3 > r0 goto pc+1\n\nIf we allow sign-extension,\n void *data = (void *)(long)(int)skb->data;\n void *data_end = (void *)(long)skb->data_end;\n ...\nthe generated code looks like\n r2 = *(u64 *)(r1 +208)\n r2 <<= 32\n r2 s>>= 32\n r3 = *(u64 *)(r1 +80)\n r0 = r2\n r0 += 8\n if r3 > r0 goto pc+1\nand this will cause verification failure since \"r2 <<= 32\" is not allowed\nas \"r2\" is a packet pointer.\n\nTo fix this issue for case\n r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */\nthis patch added additional checking in is_valid_access() callback\nfunction for packet data/data_end/data_meta access. If those accesses\nare with sign-extenstion, the verification will fail.\n\n [1] https://lore.kernel.org/bpf/000000000000c90eee061d236d37@google.com/" |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "include/linux/bpf.h", |
| "kernel/bpf/verifier.c", |
| "net/core/filter.c" |
| ], |
| "versions": [ |
| { |
| "version": "1f1e864b65554e33fe74e3377e58b12f4302f2eb", |
| "lessThan": "f1620c93a1ec950d87ef327a565d3907736d3340", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "1f1e864b65554e33fe74e3377e58b12f4302f2eb", |
| "lessThan": "f09757fe97a225ae505886eac572e4cbfba96537", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "1f1e864b65554e33fe74e3377e58b12f4302f2eb", |
| "lessThan": "92de36080c93296ef9005690705cba260b9bd68a", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "include/linux/bpf.h", |
| "kernel/bpf/verifier.c", |
| "net/core/filter.c" |
| ], |
| "versions": [ |
| { |
| "version": "6.6", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "6.6", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.10.13", |
| "lessThanOrEqual": "6.10.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.11.2", |
| "lessThanOrEqual": "6.11.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.12", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.6", |
| "versionEndExcluding": "6.10.13" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.6", |
| "versionEndExcluding": "6.11.2" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.6", |
| "versionEndExcluding": "6.12" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/f1620c93a1ec950d87ef327a565d3907736d3340" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/f09757fe97a225ae505886eac572e4cbfba96537" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/92de36080c93296ef9005690705cba260b9bd68a" |
| } |
| ], |
| "title": "bpf: Fail verification for sign-extension of packet data/data_end/data_meta", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2024-47702", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
