Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-vulnerable / . / cve / published / 2023 / CVE-2023-52828.json
blob: 1c5f87d678405206b8e6628cdaa14037bbff869b [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Detect IP == ksym.end as part of BPF program\n\nNow that bpf_throw kfunc is the first such call instruction that has\nnoreturn semantics within the verifier, this also kicks in dead code\nelimination in unprecedented ways. For one, any instruction following\na bpf_throw call will never be marked as seen. Moreover, if a callchain\nends up throwing, any instructions after the call instruction to the\neventually throwing subprog in callers will also never be marked as\nseen.\n\nThe tempting way to fix this would be to emit extra 'int3' instructions\nwhich bump the jited_len of a program, and ensure that during runtime\nwhen a program throws, we can discover its boundaries even if the call\ninstruction to bpf_throw (or to subprogs that always throw) is emitted\nas the final instruction in the program.\n\nAn example of such a program would be this:\n\ndo_something():\n\t...\n\tr0 = 0\n\texit\n\nfoo():\n\tr1 = 0\n\tcall bpf_throw\n\tr0 = 0\n\texit\n\nbar(cond):\n\tif r1 != 0 goto pc+2\n\tcall do_something\n\texit\n\tcall foo\n\tr0 = 0 // Never seen by verifier\n\texit\t//\n\nmain(ctx):\n\tr1 = ...\n\tcall bar\n\tr0 = 0\n\texit\n\nHere, if we do end up throwing, the stacktrace would be the following:\n\nbpf_throw\nfoo\nbar\nmain\n\nIn bar, the final instruction emitted will be the call to foo, as such,\nthe return address will be the subsequent instruction (which the JIT\nemits as int3 on x86). This will end up lying outside the jited_len of\nthe program, thus, when unwinding, we will fail to discover the return\naddress as belonging to any program and end up in a panic due to the\nunreliable stack unwinding of BPF programs that we never expect.\n\nTo remedy this case, make bpf_prog_ksym_find treat IP == ksym.end as\npart of the BPF program, so that is_bpf_text_address returns true when\nsuch a case occurs, and we are able to unwind reliably when the final\ninstruction ends up being a call instruction."
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"kernel/bpf/core.c"
],
"versions": [
{
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"lessThan": "6058e4829696412457729a00734969acc6fd1d18",
"status": "affected",
"versionType": "git"
},
{
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"lessThan": "cf353904a82873e952633fcac4385c2fcd3a46e1",
"status": "affected",
"versionType": "git"
},
{
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"lessThan": "aa42a7cb92647786719fe9608685da345883878f",
"status": "affected",
"versionType": "git"
},
{
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"lessThan": "327b92e8cb527ae097961ffd1610c720481947f5",
"status": "affected",
"versionType": "git"
},
{
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"lessThan": "821a7e4143af115b840ec199eb179537e18af922",
"status": "affected",
"versionType": "git"
},
{
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"lessThan": "66d9111f3517f85ef2af0337ece02683ce0faf21",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"kernel/bpf/core.c"
],
"versions": [
{
"version": "5.10.202",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.15.140",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.1.64",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.5.13",
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.3",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.7",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.202"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.140"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.64"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.13"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.3"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/6058e4829696412457729a00734969acc6fd1d18"
},
{
"url": "https://git.kernel.org/stable/c/cf353904a82873e952633fcac4385c2fcd3a46e1"
},
{
"url": "https://git.kernel.org/stable/c/aa42a7cb92647786719fe9608685da345883878f"
},
{
"url": "https://git.kernel.org/stable/c/327b92e8cb527ae097961ffd1610c720481947f5"
},
{
"url": "https://git.kernel.org/stable/c/821a7e4143af115b840ec199eb179537e18af922"
},
{
"url": "https://git.kernel.org/stable/c/66d9111f3517f85ef2af0337ece02683ce0faf21"
}
],
"title": "bpf: Detect IP == ksym.end as part of BPF program",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2023-52828",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}