CVE-2024-42063
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter mode
syzbot reported uninit memory usages during map_{lookup,delete}_elem.
========== BUG: KMSAN: uninit-value in __dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline] BUG: KMSAN: uninit-value in dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796 __dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline] dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796 ____bpf_map_lookup_elem kernel/bpf/helpers.c:42 [inline] bpf_map_lookup_elem+0x5c/0x80 kernel/bpf/helpers.c:38 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997 __bpf_prog_run256+0xb5/0xe0 kernel/bpf/core.c:2237
The reproducer should be in the interpreter mode.
The C reproducer is trying to run the following bpf prog:
0: (18) r0 = 0x0
2: (18) r1 = map[id:49]
4: (b7) r8 = 16777216
5: (7b) *(u64 *)(r10 -8) = r8
6: (bf) r2 = r10
7: (07) r2 += -229
^^^^^^^^^^
8: (b7) r3 = 8
9: (b7) r4 = 0
10: (85) call dev_map_lookup_elem#1543472 11: (95) exit
It is due to the "void *key" (r2) passed to the helper. bpf allows uninit stack memory access for bpf prog with the right privileges. This patch uses kmsan_unpoison_memory() to mark the stack as initialized.
This should address different syzbot reports on the uninit "void *key" argument during map_{lookup,delete}_elem.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | bd4cf0ed331a275e9bf5a49e6d0fd55dffc551b8 < b30f3197a6cd080052d5d4973f9a6b479fd9fff5 | affected |
| Linux | Linux | bd4cf0ed331a275e9bf5a49e6d0fd55dffc551b8 < d812ae6e02bd6e6a9cd1fdb09519c2f33e875faf | affected |
| Linux | Linux | bd4cf0ed331a275e9bf5a49e6d0fd55dffc551b8 < 3189983c26108cf0990e5c46856dc9feb9470d12 | affected |
| Linux | Linux | bd4cf0ed331a275e9bf5a49e6d0fd55dffc551b8 < e8742081db7d01f980c6161ae1e8a1dbc1e30979 | affected |
| Linux | Linux | 3.15 | affected |
| Linux | Linux | 0 < 3.15 | unaffected |
| Linux | Linux | 6.1.97 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.37 <= 6.6.* | unaffected |
| Linux | Linux | 6.9.8 <= 6.9.* | unaffected |
| Linux | Linux | 6.10 <= * | unaffected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
- https://git.kernel.org/stable/c/b30f3197a6cd080052d5d4973f9a6b479fd9fff5
- https://git.kernel.org/stable/c/d812ae6e02bd6e6a9cd1fdb09519c2f33e875faf
- https://git.kernel.org/stable/c/3189983c26108cf0990e5c46856dc9feb9470d12
- https://git.kernel.org/stable/c/e8742081db7d01f980c6161ae1e8a1dbc1e30979
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/b30f3197a6cd080052d5d4973f9a6b479fd9fff5
- https://git.kernel.org/stable/c/d812ae6e02bd6e6a9cd1fdb09519c2f33e875faf
- https://git.kernel.org/stable/c/3189983c26108cf0990e5c46856dc9feb9470d12
- https://git.kernel.org/stable/c/e8742081db7d01f980c6161ae1e8a1dbc1e30979
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.