CVE-2024-49850 - Linux Kernel Vulnerability Resolved: bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos

A vulnerability has recently been resolved in the Linux kernel, specifically relating to the handling of malformed BPF_CORE_TYPE_ID_LOCAL relos. In instances where a relocation record of the mentioned kind references a non-existing BTF type, function bpf_core_calc_relo_insn would result in a null pointer deference. This post aims to describe the vulnerability in simple terms, provide a code snippet, and display links to original references while detailing the exploit.

Vulnerability Explanation

The vulnerability exists due to a lack of proper validation of user-supplied data, specifically in the Linux kernel's handling of malformed relocation records of kind BPF_CORE_TYPE_ID_LOCAL. As a result, when a relocation record references a non-existing BTF type, it causes a null pointer deference in the bpf_core_calc_relo_insn function.

To fix this issue, a check needs to be added in the call stack to ensure that relocation records from user space are properly validated. By addressing this vulnerability, the Linux kernel will no longer encounter null pointer deference in this particular scenario.

Here's a simple reproducer of the vulnerability, written in C

    r = ;
    exit;

    .insn_off = ,          /* patch first instruction */
    .type_id = 100500,      /* this type id does not exist */
    .access_str_off = 6,    /* offset of string "" */
    .kind = BPF_CORE_TYPE_ID_LOCAL,

This code illustrates the vulnerability, relying on a single relocation record with a non-existing BTF type. To view the original reproducer or the test case, see the links provided in the next section.

Exploit Details

An attacker with the ability to provide malformed relocation records of kind BPF_CORE_TYPE_ID_LOCAL from user space can exploit this vulnerability. By doing so, the attacker can cause a null pointer deference, which, depending on the system and context, could lead to crashes, denial of service, or other unintended behavior.

To mitigate this vulnerability, ensure that your Linux kernel is updated to the latest version, or to a version with the fix for this particular issue. Also, consider implementing input validation for user-supplied data, specifically when handling relocation records.

Timeline

Published on: 10/21/2024 13:15:05 UTC
Last modified on: 11/19/2024 01:09:37 UTC