CVE-2024-43910 in Linux
Summary
by MITRE • 08/26/2024
In the Linux kernel, the following vulnerability has been resolved:
bpf: add missing check_func_arg_reg_off() to prevent out-of-bounds memory accesses
Currently, it's possible to pass in a modified CONST_PTR_TO_DYNPTR to a global function as an argument. The adverse effects of this is that BPF helpers can continue to make use of this modified CONST_PTR_TO_DYNPTR from within the context of the global function, which can unintentionally result in out-of-bounds memory accesses and therefore compromise overall system stability i.e.
[ 244.157771] BUG: KASAN: slab-out-of-bounds in bpf_dynptr_data+0x137/0x140
[ 244.161345] Read of size 8 at addr ffff88810914be68 by task test_progs/302
[ 244.167151] CPU: 0 PID: 302 Comm: test_progs Tainted: G O E 6.10.0-rc3-00131-g66b586715063 #533
[ 244.174318] Call Trace:
[ 244.175787]
[ 244.177356] dump_stack_lvl+0x66/0xa0
[ 244.179531] print_report+0xce/0x670
[ 244.182314] ? __virt_addr_valid+0x200/0x3e0
[ 244.184908] kasan_report+0xd7/0x110
[ 244.187408] ? bpf_dynptr_data+0x137/0x140
[ 244.189714] ? bpf_dynptr_data+0x137/0x140
[ 244.192020] bpf_dynptr_data+0x137/0x140
[ 244.194264] bpf_prog_b02a02fdd2bdc5fa_global_call_bpf_dynptr_data+0x22/0x26
[ 244.198044] bpf_prog_b0fe7b9d7dc3abde_callback_adjust_bpf_dynptr_reg_off+0x1f/0x23
[ 244.202136] bpf_user_ringbuf_drain+0x2c7/0x570
[ 244.204744] ? 0xffffffffc0009e58
[ 244.206593] ? __pfx_bpf_user_ringbuf_drain+0x10/0x10
[ 244.209795] bpf_prog_33ab33f6a804ba2d_user_ringbuf_callback_const_ptr_to_dynptr_reg_off+0x47/0x4b
[ 244.215922] bpf_trampoline_6442502480+0x43/0xe3
[ 244.218691] __x64_sys_prlimit64+0x9/0xf0
[ 244.220912] do_syscall_64+0xc1/0x1d0
[ 244.223043] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 244.226458] RIP: 0033:0x7ffa3eb8f059
[ 244.228582] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 1d 0d 00 f7 d8 64 89 01 48
[ 244.241307] RSP: 002b:00007ffa3e9c6eb8 EFLAGS: 00000206 ORIG_RAX: 000000000000012e
[ 244.246474] RAX: ffffffffffffffda RBX: 00007ffa3e9c7cdc RCX: 00007ffa3eb8f059
[ 244.250478] RDX: 00007ffa3eb162b4 RSI: 0000000000000000 RDI: 00007ffa3e9c7fb0
[ 244.255396] RBP: 00007ffa3e9c6ed0 R08: 00007ffa3e9c76c0 R09: 0000000000000000
[ 244.260195] R10: 0000000000000000 R11: 0000000000000206 R12: ffffffffffffff80
[ 244.264201] R13: 000000000000001c R14: 00007ffc5d6b4260 R15: 00007ffa3e1c7000
[ 244.268303]
Add a check_func_arg_reg_off() to the path in which the BPF verifier verifies the arguments of global function arguments, specifically those which take an argument of type ARG_PTR_TO_DYNPTR | MEM_RDONLY. Also, process_dynptr_func() doesn't appear to perform any explicit and strict type matching on the supplied register type, so let's also enforce that a register either type PTR_TO_STACK or CONST_PTR_TO_DYNPTR is by the caller.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/13/2024
The vulnerability described in CVE-2024-43910 resides within the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem, specifically in how it handles dynamic pointer types during function argument validation. This flaw allows for a potential out-of-bounds memory access scenario when a modified CONST_PTR_TO_DYNPTR is passed as an argument to a global function. The issue manifests through the BPF verifier's insufficient validation of register types during function calls, creating a path where malicious or malformed input can lead to memory corruption. The vulnerability is particularly concerning because it operates at the kernel level, potentially allowing attackers to exploit memory safety boundaries and compromise system stability.
The technical root cause lies in the absence of proper type checking within the BPF verifier's argument validation logic. When a global function is called with a dynamic pointer argument, the system fails to enforce strict type matching on the register type. This omission permits the passing of a modified CONST_PTR_TO_DYNPTR through the function call path, which can then be used by BPF helper functions to perform memory operations beyond valid boundaries. The call trace demonstrates how the vulnerability manifests during a bpf_dynptr_data operation, where a read of size 8 occurs at an address that has been corrupted by the improper pointer handling. This behavior aligns with CWE-129, which describes issues related to insufficient boundary checking, and more specifically with CWE-787, concerning out-of-bounds write operations.
The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling privilege escalation and system instability. When the BPF verifier fails to validate function arguments properly, it creates a condition where attackers can manipulate pointer values to access memory regions that should be protected. This can result in data leakage, system crashes, or in more severe cases, allow for privilege escalation attacks. The vulnerability affects systems running Linux kernel versions that include the affected BPF implementation, particularly those utilizing eBPF programs with dynamic pointer operations. The specific error message indicates a slab-out-of-bounds condition, which is a classic symptom of memory corruption that can lead to further exploitation techniques.
Mitigation strategies for CVE-2024-43910 involve implementing the missing check_func_arg_reg_off() function to validate register types during global function argument processing. This enforcement ensures that only specific register types such as PTR_TO_STACK or CONST_PTR_TO_DYNPTR are accepted, preventing the passage of modified dynamic pointer values through function calls. The fix requires modifications to the BPF verifier's argument validation logic to include explicit type checking before allowing function arguments to proceed. System administrators should prioritize updating to kernel versions that contain this patch, as the vulnerability affects the core kernel memory management subsystem. Additionally, monitoring for unusual BPF program behavior and implementing proper access controls for eBPF program loading can help reduce the attack surface. The fix addresses the underlying ATT&CK technique T1059.006 by preventing malicious code execution through kernel-level vulnerabilities, and aligns with defensive practices outlined in the MITRE ATT&CK framework for kernel-mode exploitation prevention.