A newly discovered vulnerability (CVE-2024-26589) in the Linux kernel has been resolved recently. The vulnerability is associated with the bpf (Berkeley Packet Filter) subsystem, specifically related to validating the PTR_TO_FLOW_KEYS.

This post will provide an explanation of the vulnerability, a code snippet to demonstrate the issue, its original references, and the details of the exploit.

Vulnerability Description

In the Linux kernel, the check_flow_keys_access() function only uses a fixed offset for validation of PTR_TO_FLOW_KEYS. However, variable offset ptr alu (Arithmetic Logic Unit) is not prohibited for this ptr kind, allowing the variable offset to remain unchecked, which, in certain cases, can lead to out-of-bounds access.

The following code snippet demonstrates the issue

  func# @
  : R1=ctx() R10=fp
  : (bf) r6 = r1                       ; R1=ctx() R6_w=ctx()
  1: (79) r7 = *(u64 *)(r6 +144)        ; R6_w=ctx() R7_w=flow_keys()
  2: (b7) r8 = 1024                     ; R8_w=1024
  3: (37) r8 /= 1                       ; R8_w=scalar()
  4: (57) r8 &= 1024                    ; R8_w=scalar(smin=smin32=,
  smax=umax=smax32=umax32=1024,var_off=(x; x400))
  5: (f) r7 += r8
  ...
  6: (79) r = *(u64 *)(r7 +)          ; R_w=scalar()
  7: (95) exit

The code above loads flow_keys to r7 and adds the variable offset r8 to r7, resulting in out-of-bounds access.

Exploit Details

The out-of-bounds access triggered by the code snippet provided above in a vulnerable system generates the following error output:

  BUG: unable to handle page fault for address: ffffc90014c80038
  ...
  Call Trace:
   <TASK>
   bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]
   __bpf_prog_run include/linux/filter.h:651 [inline]
   bpf_prog_run include/linux/filter.h:658 [inline]
   bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]
   bpf_flow_dissect+x15f/x350 net/core/flow_dissector.c:991
   bpf_prog_test_run_flow_dissector+x39d/x620 net/bpf/test_run.c:1359
   bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]
   __sys_bpf+xf8f/x456 kernel/bpf/syscall.c:5475
   __do_sys_bpf kernel/bpf/syscall.c:5561 [inline]
   __se_sys_bpf kernel/bpf/syscall.c:5559 [inline]
   __x64_sys_bpf+x73/xb kernel/bpf/syscall.c:5559
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+x3f/x110 arch/x86/entry/common.c:83
   entry_SYSCALL_64_after_hwframe+x63/x6b

Resolution

The vulnerability has been resolved by rejecting ptr alu with variable offset on flow_keys. After applying the patch, the program that caused the out-of-bounds access is now rejected with the error message: "R7 pointer arithmetic on flow_keys prohibited".

The patch ensures that variable offsets are checked properly and prevents out-of-bounds access vulnerabilities.

Original References

1. BPF and XDP Reference Guide - Cilium
2. Linux Kernel Documentation - BPF (Berkeley Packet Filter)
3. Linux Kernel Mailing List - Patch

In conclusion, the CVE-2024-26589 vulnerability in the Linux kernel's bpf PTR_TO_FLOW_KEYS has been resolved by rejecting variable offset alu, thus ensuring proper validation of flow keys offset and preventing out-of-bounds access. Please ensure that your systems are patched and up-to-date to protect against this potential vulnerability.

Timeline

Published on: 02/22/2024 17:15:09 UTC
Last modified on: 03/18/2024 17:56:56 UTC