CVE-2023-52676
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Guard stack limits against 32bit overflow
This patch promotes the arithmetic around checking stack bounds to be
done in the 64-bit domain, instead of the current 32bit. The arithmetic
implies adding together a 64-bit register with a int offset. The
register was checked to be below 1<<29 when it was variable, but not
when it was fixed. The offset either comes from an instruction (in which
case it is 16 bit), from another register (in which case the caller
checked it to be below 1<<29 [1]), or from the size of an argument to a
kfunc (in which case it can be a u32 [2]). Between the register being
inconsistently checked to be below 1<<29, and the offset being up to an
u32, it appears that we were open to overflowing the ints which were
currently used for arithmetic.
[1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498 [2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 01f810ace9ed37255f27608a0864abebccf0aab3 < ad140fc856f0b1d5e2215bcb6d0cc247a86805a2 | affected |
| Linux | Linux | 01f810ace9ed37255f27608a0864abebccf0aab3 < e5ad9ecb84405637df82732ee02ad741a5f782a6 | affected |
| Linux | Linux | 01f810ace9ed37255f27608a0864abebccf0aab3 < 1d38a9ee81570c4bd61f557832dead4d6f816760 | affected |
| Linux | Linux | f3c4b01689d392373301e6e60d1b02c5b4020afc | affected |
| Linux | Linux | d1b725ea5d104caea250427899f4e2e3ab15b4fc | affected |
| Linux | Linux | 5.10.33 < 5.11 | affected |
| Linux | Linux | 5.11.17 < 5.12 | affected |
| Linux | Linux | 5.12 | affected |
| Linux | Linux | 0 < 5.12 | unaffected |
| Linux | Linux | 6.6.14 <= 6.6.* | unaffected |
| Linux | Linux | 6.7.2 <= 6.7.* | unaffected |
| Linux | Linux | 6.8 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://git.kernel.org/stable/c/ad140fc856f0b1d5e2215bcb6d0cc247a86805a2
- https://git.kernel.org/stable/c/e5ad9ecb84405637df82732ee02ad741a5f782a6
- https://git.kernel.org/stable/c/1d38a9ee81570c4bd61f557832dead4d6f816760
References
- https://git.kernel.org/stable/c/ad140fc856f0b1d5e2215bcb6d0cc247a86805a2
- https://git.kernel.org/stable/c/e5ad9ecb84405637df82732ee02ad741a5f782a6
- https://git.kernel.org/stable/c/1d38a9ee81570c4bd61f557832dead4d6f816760
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.