A recently discovered vulnerability in the Linux kernel, tracked as CVE-2024-53125, has been resolved. This vulnerability affected the sync_linked_regs() function in the Berkley Packet Filter (BPF) implementation. This post will provide a detailed examination of the vulnerability, including the exploit details and code snippet, as well as links to the original references.
Vulnerability Details
The issue with the sync_linked_regs() function lied in the fact that it did not properly preserve the subreg_def marks during the range propagation. This led to incorrect verifier rewrite when the BPF_F_TEST_RND_HI32 flag was set, as demonstrated in the following code snippet:
: call bpf_ktime_get_ns call bpf_ktime_get_ns
1: r &= x7fffffff after verifier r &= x7fffffff
2: w1 = w rewrites w1 = w
3: if w < 10 goto + --------------> r11 = x2f5674a6 (r)
4: r1 >>= 32 r11 <<= 32 (r)
5: r = r1 r1 |= r11 (r)
6: exit; if w < xa goto pc+
r1 >>= 32
r = r1
exit
w1 subreg_def was overridden at (3) by copy_register_state();
- w1 was read at (5), but mark_insn_zext() did not mark (2) for zero extension, because w1 subreg_def was not set;
- Due to the BPF_F_TEST_RND_HI32 flag, the verifier inserted a random value for the hi32 bits of (2) (marked (r));
Impact
The improper handling of subreg_def marks during range propagation led to verifier rewrites that were incorrect when the BPF_F_TEST_RND_HI32 flag was set. This vulnerability could have been exploited by an attacker to tamper with the BPF implementation and potentially compromise the system's integrity and performance.
Resolution
The vulnerability was fixed by ensuring that the sync_linked_regs() function preserves the subreg_def marks in the BPF implementation. This eliminated the issue of incorrect verifier rewrites and patched the vulnerability.
Original References
The vulnerability has been fixed in the Linux kernel, and the details can be found in the following references:
- Commit: https://github.com/torvalds/linux/commit/9d9693c028cbd49f26965714e0558ef9929a2086
- Patch: https://patchwork.kernel.org/project/linux-bpf/patch/20220218001521.2562928-1-andreyknvl@google.com/
Conclusion
CVE-2024-53125 has been resolved with the proper handling and preservation of subreg_def marks in the Linux kernel BPF implementation. By applying the available patch to the Linux kernel, users and administrators can ensure the secure and proper functioning of their systems.
Timeline
Published on: 12/04/2024 14:15:20 UTC
Last modified on: 12/19/2024 19:15:07 UTC