Informazioni sul CVE-2024-41009
bpf: Fix overrunning reservations in ringbuf
CWE ID: N/A
Base Score (CVSS): N/A
CVE: CVE-2024-41009
Descrizione: “The Linux kernel has been resolved a vulnerability in the BPF ring buffer: The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two logical and ever-increasing counters: consumer_pos and producer_pos. Each time a record is reserved, the producer advances producer_pos. User space reads the data, advancing consumer_pos once. Both counters are stored in separate pages, so the producer counter is read-only and the consumer counter is read-write. The data area is mapped twice contiguously back-to-back in virtual memory, simplifying the implementation of producers and consumers. This allows the producer and consumer counters to be read-only and the next page after the last data page to be the first data page, ensuring the sample remains contiguous in virtual memory. Each record has a `struct bpf_ringbuf_hdr` header containing `len` and `pg_off` fields, which are inaccessible to the BPF program. Helpers like `bpf_ringbuf_reserve()` return a `HDR_SZ` for the BPF program to use. Bing-Jhong and Muhammad reported that a second memory chunk could be allocated overlapping with the first, enabling the BPF program to edit the first chunk’s header. For example, creating a BPF_MAP_TYPE_RINGBUF map with a size of 0x4000 allows the consumer_pos to be modified to 0x3000 /before/ a call to `bpf_ringbuf_reserve()`. This allocates a chunk A, which is in [0x0, 0x3008], and the BPF program can edit [0x8, 0x3008]. After this, allocating a chunk B with size 0x3000 succeeds because consumer_pos was edited ahead of time to pass the `new_prod_pos – cons_pos > rb->mask` check. Chunk B will be in range [0x3008, 0x6010], and the BPF program can edit [0x3010, 0x6010]. Due to the ring buffer memory layout, the ranges [0x0, 0x4000] and [0x4000, 0x8000] point to the same data pages. This means chunk B at [0x4000, 0x4008] is chunk A’s header. The fix involves calculating the oldest pending_pos and checking if the range from the oldest outstanding record to the newest would span beyond the ring buffer size. If it does, we reject the request. We’ve tested this with the BPF selftest (./benchs/run_bench_ringbufs.sh) before/after the fix and while it seems a bit slower on some benchmarks, it’s still not significantly enough to matter.”
Vettore di attacco
Punteggio CVSS
Il CVSS è un sistema di valutazione che misura la gravità di una vulnerabilità informatica considerando fattori come l’impatto potenziale, la probabilità di attacco e la facilità di esecuzione.
Riassunto: .
Dettaglio del Vettore
| Metrica | Valore | Significato | Descrizione |
|---|
Riferimenti esterni
- https://git.kernel.org/stable/c/be35504b959f2749bab280f4671e8df96dcf836f
- https://git.kernel.org/stable/c/0f98f40eb1ed52af8b81f61901b6c0289ff59de4
- https://git.kernel.org/stable/c/d1b9df0435bc61e0b44f578846516df8ef476686
- https://git.kernel.org/stable/c/511804ab701c0503b72eac08217eabfd366ba069
- https://git.kernel.org/stable/c/47416c852f2a04d348ea66ee451cbdcf8119f225
- https://git.kernel.org/stable/c/cfa1a2329a691ffd991fcf7248a57d752e712881
Prodotti interessati
- Linux – Linux
- Linux – Linux