CVE-2023-52676

Summary

In the Linux kernel, the following vulnerability has been resolved:

bpf: Guard stack limits against 32bit overflow

This patch promotes the arithmetic around checking stack bounds to be done in the 64-bit domain, instead of the current 32bit. The arithmetic implies adding together a 64-bit register with a int offset. The register was checked to be below 1<<29 when it was variable, but not when it was fixed. The offset either comes from an instruction (in which case it is 16 bit), from another register (in which case the caller checked it to be below 1<<29 [1]), or from the size of an argument to a kfunc (in which case it can be a u32 [2]). Between the register being inconsistently checked to be below 1<<29, and the offset being up to an u32, it appears that we were open to overflowing the ints which were currently used for arithmetic.

[1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498 [2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904

Affected Software

VendorProductVersion RangeStatus
LinuxLinux01f810ace9ed37255f27608a0864abebccf0aab3 < ad140fc856f0b1d5e2215bcb6d0cc247a86805a2affected
LinuxLinux01f810ace9ed37255f27608a0864abebccf0aab3 < e5ad9ecb84405637df82732ee02ad741a5f782a6affected
LinuxLinux01f810ace9ed37255f27608a0864abebccf0aab3 < 1d38a9ee81570c4bd61f557832dead4d6f816760affected
LinuxLinuxf3c4b01689d392373301e6e60d1b02c5b4020afcaffected
LinuxLinuxd1b725ea5d104caea250427899f4e2e3ab15b4fcaffected
LinuxLinux5.10.33 < 5.11affected
LinuxLinux5.11.17 < 5.12affected
LinuxLinux5.12affected
LinuxLinux0 < 5.12unaffected
LinuxLinux6.6.14 <= 6.6.*unaffected
LinuxLinux6.7.2 <= 6.7.*unaffected
LinuxLinux6.8 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References