NVD

NOTICE UPDATED - April, 25th 2024

NIST has updated the NVD program announcement page with additional information regarding recent concerns and the temporary delays in enrichment efforts.

CVE-2023-52452 Detail

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix accesses to uninit stack slots Privileged programs are supposed to be able to read uninitialized stack memory (ever since 6715df8d5) but, before this patch, these accesses were permitted inconsistently. In particular, accesses were permitted above state->allocated_stack, but not below it. In other words, if the stack was already "large enough", the access was permitted, but otherwise the access was rejected instead of being allowed to "grow the stack". This undesired rejection was happening in two places: - in check_stack_slot_within_bounds() - in check_stack_range_initialized() This patch arranges for these accesses to be permitted. A bunch of tests that were relying on the old rejection had to change; all of them were changed to add also run unprivileged, in which case the old behavior persists. One tests couldn't be updated - global_func16 - because it can't run unprivileged for other reasons. This patch also fixes the tracking of the stack size for variable-offset reads. This second fix is bundled in the same commit as the first one because they're inter-related. Before this patch, writes to the stack using registers containing a variable offset (as opposed to registers with fixed, known values) were not properly contributing to the function's needed stack size. As a result, it was possible for a program to verify, but then to attempt to read out-of-bounds data at runtime because a too small stack had been allocated for it. Each function tracks the size of the stack it needs in bpf_subprog_info.stack_depth, which is maintained by update_stack_depth(). For regular memory accesses, check_mem_access() was calling update_state_depth() but it was passing in only the fixed part of the offset register, ignoring the variable offset. This was incorrect; the minimum possible value of that register should be used instead. This tracking is now fixed by centralizing the tracking of stack size in grow_stack_state(), and by lifting the calls to grow_stack_state() to check_stack_access_within_bounds() as suggested by Andrii. The code is now simpler and more convincingly tracks the correct maximum stack size. check_stack_range_initialized() can now rely on enough stack having been allocated for the access; this helps with the fix for the first issue. A few tests were changed to also check the stack depth computation. The one that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.

Severity

CVSS 3.x Severity and Metrics:

NIST: NVD

Base Score: 7.8 HIGH

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

Note: NVD Analysts have published a CVSS score for this CVE based on publicly available information at the time of analysis. The CNA has not provided a score within the CVE List.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19	Patch
https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529	Patch
https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde	Patch

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-665	Improper Initialization	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

2 change records found show changes

Initial Analysis by NIST 3/18/2024 2:24:33 PM

Action	Type	Old Value	New Value
Added	CPE Configuration		OR cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 5.12 up to (excluding) 6.6.14 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.7.0 up to (excluding) 6.7.2
Added	CVSS V3.1		NIST AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Added	CWE		NIST CWE-665
Changed	Reference Type	https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19 No Types Assigned	https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529 No Types Assigned	https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde No Types Assigned	https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde Patch

Quick Info

CVE Dictionary Entry:
CVE-2023-52452
NVD Published Date:
02/22/2024
NVD Last Modified:
03/18/2024
Source:
kernel.org

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database