CVE-2023-52452 - Linux Kernel BPF Stack Slot Access Vulnerability Fixed

A critical vulnerability has been identified and resolved in the Linux kernel. This vulnerability is related to BPF (Berkeley Packet Filter) stack slot access in privileged programs. Before the patch, inconsistent permission to access uninitialized stack memory was observed, which could lead to potential security risks.

Vulnerability Details

The issue (CVE-2023-52452) specifically affects the way privileged programs are allowed to read uninitialized stack memory after commit 6715df8d5. The problem was caused by permitting access inconsistently above state->allocated_stack but not below it. For example, when the stack was already "large enough," access was allowed, but if not, it was rejected instead of growing the stack. This rejection occurred in two places:

in check_stack_range_initialized()

The latest patch resolves this issue by allowing these crucial accesses and updating several tests that relied on the earlier rejection. All the altered tests will now run unprivileged, ensuring that no further security issues persist. The only exception is the global_func16 test since it cannot run unprivileged for other reasons.

Additionally, this patch addresses the tracking of stack size for variable-offset reads. This fix is bundled with the first one because of their interdependence. Previously, writes to the stack using registers with variable offsets were not correctly contributing to the function's needed stack size, leading to potential out-of-bounds data read attempts at runtime.

Each function tracks the size of the stack it needs in
bpf_subprog_info.stack_depth, which is maintained by
update_stack_depth(). For regular memory accesses, check_mem_access()
was calling update_state_depth() but it was passing in only the fixed
part of the offset register, ignoring the variable offset. This was
incorrect; the minimum possible value of that register should be used
instead.

The tracking is now fixed by centralizing the stack size tracking in grow_stack_state() and lifting the calls to grow_stack_state() to check_stack_access_within_bounds(). The code is now simpler and accurately tracks the correct maximum stack size. This change also assists in fixing the first issue, as check_stack_range_initialized() can now rely on having sufficient allocated stack space for the access.

A few tests have been updated to verify the stack depth computation, with the verifier_var_off:stack_write_priv_vs_unpriv test failing without the patch.

References

1. Linux kernel commit fixing the vulnerability: bpf: Fix accesses to uninit stack slots
2. BPF (Berkeley Packet Filter) documentation: BPF - Linux Kernel documentation

Exploit details

The exploit would depend on the ability of an attacker to leverage the inconsistent access permissions to uninitialized stack memory in the Linux kernel. Successful exploitation could allow an attacker to access sensitive information in uninitialized stack memory slots, potentially resulting in unauthorized access, data corruption, or denial of service. The exact impact of this vulnerability depends on the security policies and configurations of the affected programs and systems.

Patch and mitigation

To protect against this vulnerability, users must apply the latest Linux kernel patch, bpf: Fix accesses to uninit stack slots, which corrects the inconsistent access permissions and takes necessary steps to ensure the security and reliability of the affected systems.

Additionally, system administrators should always follow best practices, such as keeping software up-to-date, monitoring security advisories, and implementing robust access controls to prevent unauthorized parties from exploiting system vulnerabilities.

Timeline

Published on: 02/22/2024 17:15:08 UTC
Last modified on: 03/18/2024 18:24:33 UTC