{ "threat_severity" : "Low", "public_date" : "2024-02-22T00:00:00Z", "bugzilla" : { "description" : "kernel: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS", "id" : "2265657", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2265657" }, "cvss3" : { "cvss3_base_score" : "4.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-822", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbpf: Reject variable offset alu on PTR_TO_FLOW_KEYS\nFor PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off\nfor validation. However, variable offset ptr alu is not prohibited\nfor this ptr kind. So the variable offset is not checked.\nThe following prog is accepted:\nfunc#0 @0\n0: R1=ctx() R10=fp0\n0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx()\n1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys()\n2: (b7) r8 = 1024 ; R8_w=1024\n3: (37) r8 /= 1 ; R8_w=scalar()\n4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0,\nsmax=umax=smax32=umax32=1024,var_off=(0x0; 0x400))\n5: (0f) r7 += r8\nmark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\nmark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024\nmark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1\nmark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024\n6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off\n=(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024,\nvar_off=(0x0; 0x400))\n6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar()\n7: (95) exit\nThis prog loads flow_keys to r7, and adds the variable offset r8\nto r7, and finally causes out-of-bounds access:\nBUG: unable to handle page fault for address: ffffc90014c80038\n[...]\nCall Trace:\n\nbpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]\n__bpf_prog_run include/linux/filter.h:651 [inline]\nbpf_prog_run include/linux/filter.h:658 [inline]\nbpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]\nbpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991\nbpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359\nbpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]\n__sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475\n__do_sys_bpf kernel/bpf/syscall.c:5561 [inline]\n__se_sys_bpf kernel/bpf/syscall.c:5559 [inline]\n__x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nFix this by rejecting ptr alu with variable offset on flow_keys.\nApplying the patch rejects the program with \"R7 pointer arithmetic\non flow_keys prohibited\".", "A vulnerability has been identified in the Linux kernel's Berkeley Packet Filter (BPF) subsystem. The flaw resides within the handling of PTR_TO_FLOW_KEYS (pointer to flow keys) in the check_flow_keys_access() function.\nSpecifically, while fixed offsets are validated for PTR_TO_FLOW_KEYS, the system currently fails to prohibit variable offset pointer arithmetic for this pointer type. This oversight allows a malicious or specially crafted BPF program to perform an unchecked variable offset addition to the flow keys pointer. This results in an out-of-bounds memory access, which can lead to a kernel crash. This issue directly impacts system availability by causing a denial of service." ], "statement" : "The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space.\nFor Red Hat Enterprise Linux 8 to confirm the current state, inspect the sysctl with the command:\n~~~\n# cat /proc/sys/kernel/unprivileged_bpf_disabled\n~~~\nA setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-26589\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26589\nhttps://lore.kernel.org/linux-cve-announce/2024022257-CVE-2024-26589-0ee1@gregkh/T/#u" ], "name" : "CVE-2024-26589", "mitigation" : { "value" : "No mitigation is currently available for this vulnerability. Make sure to perform the updates as they become available.", "lang" : "en:us" }, "csaw" : false }