CVE CyberSecurity Database News

CVE-2023-52920: Addressing Linux Kernel Vulnerability in BPF Precision Tracking

Poster -

A security vulnerability in the Linux kernel concerning BPF precision tracking has been identified and resolved. This vulnerability is marked as CVE-2023-52920. It involves the support for non-r10 register spill/fill to/from stack in precision tracking. In this post, we will discuss the details of this vulnerability, the code changes made to address it, and the original references associated with it.

Original references

1. Patchwork: [] https://patchwork.kernel.org/project/netdevbpf/patch/20231110002638.4168352-3-andrii@kernel.org/

Exploit details

The exploit involves misusing the BPF verifier's precision backtracking logic through the manipulation of non-r10 register spill/fill to/from stack operations in precision tracking. The vulnerability could be leveraged to cause the BPF verifier to generate incorrect results.

To fix this vulnerability, the following code changes have been implemented

- Use instruction (jump) history to record instructions that performed register spill/fill to/from stack, regardless of whether this was done through read-only r10 register or any other register after copying r10 into it and potentially adjusting the offset.
- Push extra per-instruction flags into instruction history, encoding stack slot index (spi) and stack frame number in extra 10-bit flags taken away from prev_idx in instruction history. The idx field is not touched for maximum performance, as it's checked most frequently during backtracking.

The code changes effectively remove the practical limitation of precision backtracking logic in the BPF verifier, fixing known deficiencies and opening up new opportunities to reduce the number of verified states.

Impact of the code changes

The impact of the changes has been analyzed using selftests' BPF object files. The results show that there are only three differences, all in a positive direction (less states).

File                                    Program        Insns (A)  Insns (B)  Insns  (DIFF)  States (A)  States (B)  States (DIFF)
test_cls_redirect_dynptr.bpf.linked3.o  cls_redirect        2987       2864  -123 (-4.12%)         240         231    -9 (-3.75%)
xdp_synproxy_kern.bpf.linked3.o         syncookie_tc       82848      82661  -187 (-.23%)        5107        5073   -34 (-.67%)
xdp_synproxy_kern.bpf.linked3.o         syncookie_xdp      85116      84964  -152 (-.18%)        5162        513   -32 (-.62%)

Additional notes

It is worth mentioning that the jmp_history was not renamed to a more generic insn_hist in order to minimize the number of lines changed and potential merge conflicts between the bpf and bpf-next trees.

Also, the cur_hist_entry pointer reset to NULL at the beginning of the instruction verification loop ensures the last jump history entry's insn_idx does not create ambiguity or issues similar to the one fixed recently in [].

Conclusion

The Linux kernel vulnerability CVE-2023-52920 has been effectively resolved, addressing the issue in BPF precision tracking with non-r10 register spill/fill to/from stack operations. The fix eliminates a significant limitation in precision backtracking logic and paves the way for further optimization and the reduction of verified states.

Timeline

Published on: 11/05/2024 10:15:24 UTC
Last modified on: 11/07/2024 19:31:31 UTC