cve/published/2024/CVE-2024-58098.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-58098: bpf: track changes_pkt_data property for global functions

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf: track changes_pkt_data property for global functions

 When processing calls to certain helpers, verifier invalidates all
 packet pointers in a current state. For example, consider the
 following program:

     __attribute__((__noinline__))
     long skb_pull_data(struct __sk_buff *sk, __u32 len)
     {
         return bpf_skb_pull_data(sk, len);
     }

     SEC("tc")
     int test_invalidate_checks(struct __sk_buff *sk)
     {
         int *p = (void *)(long)sk->data;
         if ((void *)(p + 1) > (void *)(long)sk->data_end) return TCX_DROP;
         skb_pull_data(sk, 0);
         *p = 42;
         return TCX_PASS;
     }

 After a call to bpf_skb_pull_data() the pointer 'p' can't be used
 safely. See function filter.c:bpf_helper_changes_pkt_data() for a list
 of such helpers.

 At the moment verifier invalidates packet pointers when processing
 helper function calls, and does not traverse global sub-programs when
 processing calls to global sub-programs. This means that calls to
 helpers done from global sub-programs do not invalidate pointers in
 the caller state. E.g. the program above is unsafe, but is not
 rejected by verifier.

 This commit fixes the omission by computing field
 bpf_subprog_info->changes_pkt_data for each sub-program before main
 verification pass.
 changes_pkt_data should be set if:
 - subprogram calls helper for which bpf_helper_changes_pkt_data
   returns true;
 - subprogram calls a global function,
   for which bpf_subprog_info->changes_pkt_data should be set.

 The verifier.c:check_cfg() pass is modified to compute this
 information. The commit relies on depth first instruction traversal
 done by check_cfg() and absence of recursive function calls:
 - check_cfg() would eventually visit every call to subprogram S in a
   state when S is fully explored;
 - when S is fully explored:
   - every direct helper call within S is explored
     (and thus changes_pkt_data is set if needed);
   - every call to subprogram S1 called by S was visited with S1 fully
     explored (and thus S inherits changes_pkt_data from S1).

 The downside of such approach is that dead code elimination is not
 taken into account: if a helper call inside global function is dead
 because of current configuration, verifier would conservatively assume
 that the call occurs for the purpose of the changes_pkt_data
 computation.

 The Linux kernel CVE team has assigned CVE-2024-58098 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.6 with commit 51c39bb1d5d105a02e29aa7960f0a395086e6342 and fixed in 6.6.90 with commit 79751e9227a5910c0e5a2c7186877d91821d957d
 	Issue introduced in 5.6 with commit 51c39bb1d5d105a02e29aa7960f0a395086e6342 and fixed in 6.12.25 with commit 1d572c60488b52882b719ed273767ee3b280413d
 	Issue introduced in 5.6 with commit 51c39bb1d5d105a02e29aa7960f0a395086e6342 and fixed in 6.13 with commit 51081a3f25c742da5a659d7fc6fd77ebfdd555be

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-58098
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	include/linux/bpf_verifier.h
 	kernel/bpf/verifier.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/79751e9227a5910c0e5a2c7186877d91821d957d
 	https://git.kernel.org/stable/c/1d572c60488b52882b719ed273767ee3b280413d
 	https://git.kernel.org/stable/c/51081a3f25c742da5a659d7fc6fd77ebfdd555be
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-58098: bpf: track changes_pkt_data property for global functions

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf: track changes_pkt_data property for global functions

	When processing calls to certain helpers, verifier invalidates all
	packet pointers in a current state. For example, consider the
	following program:

	__attribute__((__noinline__))
	long skb_pull_data(struct __sk_buff *sk, __u32 len)
	{
	return bpf_skb_pull_data(sk, len);
	}

	SEC("tc")
	int test_invalidate_checks(struct __sk_buff *sk)
	{
	int p = (void )(long)sk->data;
	if ((void )(p + 1) > (void )(long)sk->data_end) return TCX_DROP;
	skb_pull_data(sk, 0);
	*p = 42;
	return TCX_PASS;
	}

	After a call to bpf_skb_pull_data() the pointer 'p' can't be used
	safely. See function filter.c:bpf_helper_changes_pkt_data() for a list
	of such helpers.

	At the moment verifier invalidates packet pointers when processing
	helper function calls, and does not traverse global sub-programs when
	processing calls to global sub-programs. This means that calls to
	helpers done from global sub-programs do not invalidate pointers in
	the caller state. E.g. the program above is unsafe, but is not
	rejected by verifier.

	This commit fixes the omission by computing field
	bpf_subprog_info->changes_pkt_data for each sub-program before main
	verification pass.
	changes_pkt_data should be set if:
	- subprogram calls helper for which bpf_helper_changes_pkt_data
	returns true;
	- subprogram calls a global function,
	for which bpf_subprog_info->changes_pkt_data should be set.

	The verifier.c:check_cfg() pass is modified to compute this
	information. The commit relies on depth first instruction traversal
	done by check_cfg() and absence of recursive function calls:
	- check_cfg() would eventually visit every call to subprogram S in a
	state when S is fully explored;
	- when S is fully explored:
	- every direct helper call within S is explored
	(and thus changes_pkt_data is set if needed);
	- every call to subprogram S1 called by S was visited with S1 fully
	explored (and thus S inherits changes_pkt_data from S1).

	The downside of such approach is that dead code elimination is not
	taken into account: if a helper call inside global function is dead
	because of current configuration, verifier would conservatively assume
	that the call occurs for the purpose of the changes_pkt_data
	computation.

	The Linux kernel CVE team has assigned CVE-2024-58098 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.6 with commit 51c39bb1d5d105a02e29aa7960f0a395086e6342 and fixed in 6.6.90 with commit 79751e9227a5910c0e5a2c7186877d91821d957d
	Issue introduced in 5.6 with commit 51c39bb1d5d105a02e29aa7960f0a395086e6342 and fixed in 6.12.25 with commit 1d572c60488b52882b719ed273767ee3b280413d
	Issue introduced in 5.6 with commit 51c39bb1d5d105a02e29aa7960f0a395086e6342 and fixed in 6.13 with commit 51081a3f25c742da5a659d7fc6fd77ebfdd555be

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-58098
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	include/linux/bpf_verifier.h
	kernel/bpf/verifier.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/79751e9227a5910c0e5a2c7186877d91821d957d
	https://git.kernel.org/stable/c/1d572c60488b52882b719ed273767ee3b280413d
	https://git.kernel.org/stable/c/51081a3f25c742da5a659d7fc6fd77ebfdd555be