CVE-2024-27050 - Resolved Linux Kernel Vulnerability: Stack Corruption in libbpf bpf_xdp_query()

A vulnerability (CVE-2024-27050) has been resolved in the Linux kernel, specifically within the libbpf module, that could potentially lead to stack corruption. This post aims to address the details about the issue, including the relevant code snippet, references, and exploit details.

Vulnerability Details

Libbpf is a library that provides a series of helper utilities and functions for dealing with eBPF (Extended Berkeley Packet Filter) objects. The vulnerable code is related to the bpf_xdp_query() function, which is part of the libbpf library.

The vulnerability arises from the fact that the OPTS_SET() macro was not used when adding the feature_flags and xdp_zc_max_segs fields to the libbpf_bpf_xdp_query_opts struct, causing libbpf to write to those fields unconditionally. This means that programs compiled against an older version of libbpf (with a smaller size of the bpf_xdp_query_opts struct) will have their stack corrupted due to libbpf writing out of bounds.

The patch that added the feature_flags field has an early bailout if the feature_flags field is not part of the opts struct (using the OPTS_HAS macro), but this was not the case with the patch that added xdp_zc_max_segs. In order to fix the issue and maintain consistency, the assignments to both fields now use the OPTS_SET() macro.

Original References

- Linux Kernel Mailing List
- Kernel Git Repository

Code Snippet

Here is a code snippet illustrating the changes made to resolve the vulnerability.

struct bpf_xdp_query_opts {
	/* [...] */
	__u32 feature_flags;
	__u32 xdp_zc_max_segs;
};

void bpf_xdp_query(const struct bpf_xdp_query_opts *opts)
{
	/* [...] */

	if (OPTS_HAS(opts, feature_flags)) {
		/* [...] */
		OPTS_SET(opts, feature_flags) = feature_flags;
	}
	if (OPTS_HAS(opts, xdp_zc_max_segs)) {
		/* [...] */
		OPTS_SET(opts, xdp_zc_max_segs) = segs;
	}
}

As shown above, both feature_flags and xdp_zc_max_segs assignments have been properly wrapped with the OPTS_SET() macro, which ensures that stack corruption is avoided by checking the size of the opts struct before writing to the fields.

Exploit Details

An attacker would need to exploit this vulnerability by having access to compile and run a program that uses the libbpf library against the vulnerable kernel. The exploit would involve compiling the program with an older version of the bpf_xdp_query_opts struct and then running it against a kernel with the newer, extended struct, causing the stack to be corrupted.

This CVE-2024-27050 is considered a low-risk vulnerability because it generally requires an attacker to run their own code in the target environment.

Conclusion

CVE-2024-27050 is a stack corruption vulnerability that was present in the libbpf module of the Linux kernel. The issue has been addressed by properly using the OPTS_SET() macro when adding the feature_flags and xdp_zc_max_segs fields. This change ensures that stack corruption is avoided by checking the opts struct's size before writing to the fields, thereby providing a higher level of security and stability for programs that utilize the libbpf library.

Timeline

Published on: 05/01/2024 13:15:50 UTC
Last modified on: 07/03/2024 01:50:17 UTC