CVE-2024-49888
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix a sdiv overflow issue
Zac Ecob reported a problem where a bpf program may cause kernel crash due to the following error: Oops: divide error: 0000 [#1] PREEMPT SMP KASAN PTI
The failure is due to the below signed divide: LLONG_MIN/-1 where LLONG_MIN equals to -9,223,372,036,854,775,808. LLONG_MIN/-1 is supposed to give a positive number 9,223,372,036,854,775,808, but it is impossible since for 64-bit system, the maximum positive number is 9,223,372,036,854,775,807. On x86_64, LLONG_MIN/-1 will cause a kernel exception. On arm64, the result for LLONG_MIN/-1 is LLONG_MIN.
Further investigation found all the following sdiv/smod cases may trigger an exception when bpf program is running on x86_64 platform:
- LLONG_MIN/-1 for 64bit operation
- INT_MIN/-1 for 32bit operation
- LLONG_MIN%-1 for 64bit operation
- INT_MIN%-1 for 32bit operation where -1 can be an immediate or in a register.
On arm64, there are no exceptions:
- LLONG_MIN/-1 = LLONG_MIN
- INT_MIN/-1 = INT_MIN
- LLONG_MIN%-1 = 0
- INT_MIN%-1 = 0 where -1 can be an immediate or in a register.
Insn patching is needed to handle the above cases and the patched codes produced results aligned with above arm64 result. The below are pseudo codes to handle sdiv/smod exceptions including both divisor -1 and divisor 0 and the divisor is stored in a register.
sdiv: tmp = rX tmp += 1 /* [-1, 0] -> [0, 1] if tmp >(unsigned) 1 goto L2 if tmp == 0 goto L1 rY = 0 L1: rY = -rY; goto L3 L2: rY /= rX L3:
smod: tmp = rX tmp += 1 /* [-1, 0] -> [0, 1] if tmp >(unsigned) 1 goto L1 if tmp == 1 (is64 ? goto L2 : goto L3) rY = 0; goto L2 L1: rY %= rX L2: goto L4 // only when !is64 L3: wY = wY // only when !is64 L4:
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | ec0e2da95f72d4a46050a4d994e4fe471474fd80 < 4902a6a0dc593c82055fc8c9ada371bafe26c9cc | affected |
| Linux | Linux | ec0e2da95f72d4a46050a4d994e4fe471474fd80 < d22e45a369afc7c28f11acfa5b5e8e478227ca5d | affected |
| Linux | Linux | ec0e2da95f72d4a46050a4d994e4fe471474fd80 < 7dd34d7b7dcf9309fc6224caf4dd5b35bedddcb7 | affected |
| Linux | Linux | 6.6 | affected |
| Linux | Linux | 0 < 6.6 | unaffected |
| Linux | Linux | 6.10.14 <= 6.10.* | unaffected |
| Linux | Linux | 6.11.3 <= 6.11.* | unaffected |
| Linux | Linux | 6.12 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/4902a6a0dc593c82055fc8c9ada371bafe26c9cc
- https://git.kernel.org/stable/c/d22e45a369afc7c28f11acfa5b5e8e478227ca5d
- https://git.kernel.org/stable/c/7dd34d7b7dcf9309fc6224caf4dd5b35bedddcb7
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.