Dead Code Affecting kernel-64k-debug-devel package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS9-KERNEL64KDEBUGDEVEL-7028061
- published23 May 2024
- disclosed21 May 2024
Introduced: 21 May 2024
CVE-2023-52828 (opens in a new tab)How to fix?
There is no fixed version for Centos:9 kernel-64k-debug-devel.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-64k-debug-devel package and not the kernel-64k-debug-devel package as distributed by Centos.
See How to fix? for Centos:9 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
bpf: Detect IP == ksym.end as part of BPF program
Now that bpf_throw kfunc is the first such call instruction that has noreturn semantics within the verifier, this also kicks in dead code elimination in unprecedented ways. For one, any instruction following a bpf_throw call will never be marked as seen. Moreover, if a callchain ends up throwing, any instructions after the call instruction to the eventually throwing subprog in callers will also never be marked as seen.
The tempting way to fix this would be to emit extra 'int3' instructions which bump the jited_len of a program, and ensure that during runtime when a program throws, we can discover its boundaries even if the call instruction to bpf_throw (or to subprogs that always throw) is emitted as the final instruction in the program.
An example of such a program would be this:
do_something(): ... r0 = 0 exit
foo(): r1 = 0 call bpf_throw r0 = 0 exit
bar(cond): if r1 != 0 goto pc+2 call do_something exit call foo r0 = 0 // Never seen by verifier exit //
main(ctx): r1 = ... call bar r0 = 0 exit
Here, if we do end up throwing, the stacktrace would be the following:
bpf_throw foo bar main
In bar, the final instruction emitted will be the call to foo, as such, the return address will be the subsequent instruction (which the JIT emits as int3 on x86). This will end up lying outside the jited_len of the program, thus, when unwinding, we will fail to discover the return address as belonging to any program and end up in a panic due to the unreliable stack unwinding of BPF programs that we never expect.
To remedy this case, make bpf_prog_ksym_find treat IP == ksym.end as part of the BPF program, so that is_bpf_text_address returns true when such a case occurs, and we are able to unwind reliably when the final instruction ends up being a call instruction.
References
- https://access.redhat.com/security/cve/CVE-2023-52828
- https://git.kernel.org/stable/c/327b92e8cb527ae097961ffd1610c720481947f5
- https://git.kernel.org/stable/c/6058e4829696412457729a00734969acc6fd1d18
- https://git.kernel.org/stable/c/66d9111f3517f85ef2af0337ece02683ce0faf21
- https://git.kernel.org/stable/c/821a7e4143af115b840ec199eb179537e18af922
- https://git.kernel.org/stable/c/aa42a7cb92647786719fe9608685da345883878f
- https://git.kernel.org/stable/c/cf353904a82873e952633fcac4385c2fcd3a46e1