CVE-2023-52828

Summary

In the Linux kernel, the following vulnerability has been resolved:

bpf: Detect IP == ksym.end as part of BPF program

Now that bpf_throw kfunc is the first such call instruction that has noreturn semantics within the verifier, this also kicks in dead code elimination in unprecedented ways. For one, any instruction following a bpf_throw call will never be marked as seen. Moreover, if a callchain ends up throwing, any instructions after the call instruction to the eventually throwing subprog in callers will also never be marked as seen.

The tempting way to fix this would be to emit extra 'int3' instructions which bump the jited_len of a program, and ensure that during runtime when a program throws, we can discover its boundaries even if the call instruction to bpf_throw (or to subprogs that always throw) is emitted as the final instruction in the program.

An example of such a program would be this:

do_something(): … r0 = 0 exit

foo(): r1 = 0 call bpf_throw r0 = 0 exit

bar(cond): if r1 != 0 goto pc+2 call do_something exit call foo r0 = 0 // Never seen by verifier exit //

main(ctx): r1 = … call bar r0 = 0 exit

Here, if we do end up throwing, the stacktrace would be the following:

bpf_throw foo bar main

In bar, the final instruction emitted will be the call to foo, as such, the return address will be the subsequent instruction (which the JIT emits as int3 on x86). This will end up lying outside the jited_len of the program, thus, when unwinding, we will fail to discover the return address as belonging to any program and end up in a panic due to the unreliable stack unwinding of BPF programs that we never expect.

To remedy this case, make bpf_prog_ksym_find treat IP == ksym.end as part of the BPF program, so that is_bpf_text_address returns true when such a case occurs, and we are able to unwind reliably when the final instruction ends up being a call instruction.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux74451e66d516c55e309e8d89a4a1e7596e46aacd < 6058e4829696412457729a00734969acc6fd1d18affected
LinuxLinux74451e66d516c55e309e8d89a4a1e7596e46aacd < cf353904a82873e952633fcac4385c2fcd3a46e1affected
LinuxLinux74451e66d516c55e309e8d89a4a1e7596e46aacd < aa42a7cb92647786719fe9608685da345883878faffected
LinuxLinux74451e66d516c55e309e8d89a4a1e7596e46aacd < 327b92e8cb527ae097961ffd1610c720481947f5affected
LinuxLinux74451e66d516c55e309e8d89a4a1e7596e46aacd < 821a7e4143af115b840ec199eb179537e18af922affected
LinuxLinux74451e66d516c55e309e8d89a4a1e7596e46aacd < 66d9111f3517f85ef2af0337ece02683ce0faf21affected
LinuxLinux4.11affected
LinuxLinux0 < 4.11unaffected
LinuxLinux5.10.202 <= 5.10.*unaffected
LinuxLinux5.15.140 <= 5.15.*unaffected
LinuxLinux6.1.64 <= 6.1.*unaffected
LinuxLinux6.5.13 <= 6.5.*unaffected
LinuxLinux6.6.3 <= 6.6.*unaffected
LinuxLinux6.7 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References