| Message ID | 20240308211537.31181-1-bethany.jamison@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-26591 | expand |
Yesterday's pull request `[SRU][Mantic][PULL] Mantic upstream stable patchset 2024-03-07` already has the fix commit for this CVE. Unsure if it's worth a NACK though. On 08/03/2024 18:15, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > bpf: Fix re-attachment branch in bpf_tracing_prog_attach > > The following case can cause a crash due to missing attach_btf: > > 1) load rawtp program > 2) load fentry program with rawtp as target_fd > 3) create tracing link for fentry program with target_fd = 0 > 4) repeat 3 > > In the end we have: > > - prog->aux->dst_trampoline == NULL > - tgt_prog == NULL (because we did not provide target_fd to link_create) > - prog->aux->attach_btf == NULL (the program was loaded with > attach_prog_fd=X) > - the program was loaded for tgt_prog but we have no way to find out which > one > > BUG: kernel NULL pointer dereference, address: 0000000000000058 > Call Trace: > <TASK> > ? __die+0x20/0x70 > ? page_fault_oops+0x15b/0x430 > ? fixup_exception+0x22/0x330 > ? exc_page_fault+0x6f/0x170 > ? asm_exc_page_fault+0x22/0x30 > ? bpf_tracing_prog_attach+0x279/0x560 > ? btf_obj_id+0x5/0x10 > bpf_tracing_prog_attach+0x439/0x560 > __sys_bpf+0x1cf4/0x2de0 > __x64_sys_bpf+0x1c/0x30 > do_syscall_64+0x41/0xf0 > entry_SYSCALL_64_after_hwframe+0x6e/0x76 > > Return -EINVAL in this situation. > > [Fix] > > Mantic: Clean cherry-pick. > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > Issues could occur when the user uses bpf, though the risk of regression > is reasonably low as the only change is an additional validation check. > > Jiri Olsa (1): > bpf: Fix re-attachment branch in bpf_tracing_prog_attach > > kernel/bpf/syscall.c | 9 +++++++++ > 1 file changed, 9 insertions(+) >
This commit was recently added to Mantic by the stable team and does not need to be added via CVE patch. On 3/8/24 3:15 PM, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > bpf: Fix re-attachment branch in bpf_tracing_prog_attach > > The following case can cause a crash due to missing attach_btf: > > 1) load rawtp program > 2) load fentry program with rawtp as target_fd > 3) create tracing link for fentry program with target_fd = 0 > 4) repeat 3 > > In the end we have: > > - prog->aux->dst_trampoline == NULL > - tgt_prog == NULL (because we did not provide target_fd to link_create) > - prog->aux->attach_btf == NULL (the program was loaded with > attach_prog_fd=X) > - the program was loaded for tgt_prog but we have no way to find out which > one > > BUG: kernel NULL pointer dereference, address: 0000000000000058 > Call Trace: > <TASK> > ? __die+0x20/0x70 > ? page_fault_oops+0x15b/0x430 > ? fixup_exception+0x22/0x330 > ? exc_page_fault+0x6f/0x170 > ? asm_exc_page_fault+0x22/0x30 > ? bpf_tracing_prog_attach+0x279/0x560 > ? btf_obj_id+0x5/0x10 > bpf_tracing_prog_attach+0x439/0x560 > __sys_bpf+0x1cf4/0x2de0 > __x64_sys_bpf+0x1c/0x30 > do_syscall_64+0x41/0xf0 > entry_SYSCALL_64_after_hwframe+0x6e/0x76 > > Return -EINVAL in this situation. > > [Fix] > > Mantic: Clean cherry-pick. > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > Issues could occur when the user uses bpf, though the risk of regression > is reasonably low as the only change is an additional validation check. > > Jiri Olsa (1): > bpf: Fix re-attachment branch in bpf_tracing_prog_attach > > kernel/bpf/syscall.c | 9 +++++++++ > 1 file changed, 9 insertions(+) >
[Impact] In the Linux kernel, the following vulnerability has been resolved: bpf: Fix re-attachment branch in bpf_tracing_prog_attach The following case can cause a crash due to missing attach_btf: 1) load rawtp program 2) load fentry program with rawtp as target_fd 3) create tracing link for fentry program with target_fd = 0 4) repeat 3 In the end we have: - prog->aux->dst_trampoline == NULL - tgt_prog == NULL (because we did not provide target_fd to link_create) - prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X) - the program was loaded for tgt_prog but we have no way to find out which one BUG: kernel NULL pointer dereference, address: 0000000000000058 Call Trace: <TASK> ? __die+0x20/0x70 ? page_fault_oops+0x15b/0x430 ? fixup_exception+0x22/0x330 ? exc_page_fault+0x6f/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_tracing_prog_attach+0x279/0x560 ? btf_obj_id+0x5/0x10 bpf_tracing_prog_attach+0x439/0x560 __sys_bpf+0x1cf4/0x2de0 __x64_sys_bpf+0x1c/0x30 do_syscall_64+0x41/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Return -EINVAL in this situation. [Fix] Mantic: Clean cherry-pick. [Test Case] Compile and boot tested. [Where problems could occur] Issues could occur when the user uses bpf, though the risk of regression is reasonably low as the only change is an additional validation check. Jiri Olsa (1): bpf: Fix re-attachment branch in bpf_tracing_prog_attach kernel/bpf/syscall.c | 9 +++++++++ 1 file changed, 9 insertions(+)