cve/published/2024/CVE-2024-47728.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-47728: bpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error

 For all non-tracing helpers which formerly had ARG_PTR_TO_{LONG,INT} as input
 arguments, zero the value for the case of an error as otherwise it could leak
 memory. For tracing, it is not needed given CAP_PERFMON can already read all
 kernel memory anyway hence bpf_get_func_arg() and bpf_get_func_ret() is skipped
 in here.

 Also, the MTU helpers mtu_len pointer value is being written but also read.
 Technically, the MEM_UNINIT should not be there in order to always force init.
 Removing MEM_UNINIT needs more verifier rework though: MEM_UNINIT right now
 implies two things actually: i) write into memory, ii) memory does not have
 to be initialized. If we lift MEM_UNINIT, it then becomes: i) read into memory,
 ii) memory must be initialized. This means that for bpf_*_check_mtu() we're
 readding the issue we're trying to fix, that is, it would then be able to
 write back into things like .rodata BPF maps. Follow-up work will rework the
 MEM_UNINIT semantics such that the intent can be better expressed. For now
 just clear the *mtu_len on error path which can be lifted later again.

 The Linux kernel CVE team has assigned CVE-2024-47728 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.2 with commit d7a4cb9b6705a89937d12c8158a35a3145dc967a and fixed in 6.1.113 with commit 8397bf78988f3ae9dbebb0200189a62a57264980
 	Issue introduced in 5.2 with commit d7a4cb9b6705a89937d12c8158a35a3145dc967a and fixed in 6.6.54 with commit a634fa8e480ac2423f86311a602f6295df2c8ed0
 	Issue introduced in 5.2 with commit d7a4cb9b6705a89937d12c8158a35a3145dc967a and fixed in 6.10.13 with commit 599d15b6d03356a97bff7a76155c5604c42a2962
 	Issue introduced in 5.2 with commit d7a4cb9b6705a89937d12c8158a35a3145dc967a and fixed in 6.11.2 with commit 594a9f5a8d2de2573a856e506f77ba7dd2cefc6a
 	Issue introduced in 5.2 with commit d7a4cb9b6705a89937d12c8158a35a3145dc967a and fixed in 6.12 with commit 4b3786a6c5397dc220b1483d8e2f4867743e966f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-47728
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/bpf/helpers.c
 	kernel/bpf/syscall.c
 	net/core/filter.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8397bf78988f3ae9dbebb0200189a62a57264980
 	https://git.kernel.org/stable/c/a634fa8e480ac2423f86311a602f6295df2c8ed0
 	https://git.kernel.org/stable/c/599d15b6d03356a97bff7a76155c5604c42a2962
 	https://git.kernel.org/stable/c/594a9f5a8d2de2573a856e506f77ba7dd2cefc6a
 	https://git.kernel.org/stable/c/4b3786a6c5397dc220b1483d8e2f4867743e966f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-47728: bpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error

	For all non-tracing helpers which formerly had ARG_PTR_TO_{LONG,INT} as input
	arguments, zero the value for the case of an error as otherwise it could leak
	memory. For tracing, it is not needed given CAP_PERFMON can already read all
	kernel memory anyway hence bpf_get_func_arg() and bpf_get_func_ret() is skipped
	in here.

	Also, the MTU helpers mtu_len pointer value is being written but also read.
	Technically, the MEM_UNINIT should not be there in order to always force init.
	Removing MEM_UNINIT needs more verifier rework though: MEM_UNINIT right now
	implies two things actually: i) write into memory, ii) memory does not have
	to be initialized. If we lift MEM_UNINIT, it then becomes: i) read into memory,
	ii) memory must be initialized. This means that for bpf_*_check_mtu() we're
	readding the issue we're trying to fix, that is, it would then be able to
	write back into things like .rodata BPF maps. Follow-up work will rework the
	MEM_UNINIT semantics such that the intent can be better expressed. For now
	just clear the *mtu_len on error path which can be lifted later again.

	The Linux kernel CVE team has assigned CVE-2024-47728 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.2 with commit d7a4cb9b6705a89937d12c8158a35a3145dc967a and fixed in 6.1.113 with commit 8397bf78988f3ae9dbebb0200189a62a57264980
	Issue introduced in 5.2 with commit d7a4cb9b6705a89937d12c8158a35a3145dc967a and fixed in 6.6.54 with commit a634fa8e480ac2423f86311a602f6295df2c8ed0
	Issue introduced in 5.2 with commit d7a4cb9b6705a89937d12c8158a35a3145dc967a and fixed in 6.10.13 with commit 599d15b6d03356a97bff7a76155c5604c42a2962
	Issue introduced in 5.2 with commit d7a4cb9b6705a89937d12c8158a35a3145dc967a and fixed in 6.11.2 with commit 594a9f5a8d2de2573a856e506f77ba7dd2cefc6a
	Issue introduced in 5.2 with commit d7a4cb9b6705a89937d12c8158a35a3145dc967a and fixed in 6.12 with commit 4b3786a6c5397dc220b1483d8e2f4867743e966f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-47728
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/bpf/helpers.c
	kernel/bpf/syscall.c
	net/core/filter.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8397bf78988f3ae9dbebb0200189a62a57264980
	https://git.kernel.org/stable/c/a634fa8e480ac2423f86311a602f6295df2c8ed0
	https://git.kernel.org/stable/c/599d15b6d03356a97bff7a76155c5604c42a2962
	https://git.kernel.org/stable/c/594a9f5a8d2de2573a856e506f77ba7dd2cefc6a
	https://git.kernel.org/stable/c/4b3786a6c5397dc220b1483d8e2f4867743e966f