From: Michal Hocko <mhocko@suse.com>
To: cve@kernel.org, linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: CVE-2023-52592: libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos
Date: Thu, 7 Mar 2024 10:58:19 +0100 [thread overview]
Message-ID: <ZemPuxhM_ZZ-khTh@tiehlicka> (raw)
In-Reply-To: <2024030645-CVE-2023-52592-4693@gregkh>
On Wed 06-03-24 06:45:50, Greg KH wrote:
> Description
> ===========
>
> In the Linux kernel, the following vulnerability has been resolved:
>
> libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos
>
> An issue occurred while reading an ELF file in libbpf.c during fuzzing:
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206
> 4206 in libbpf.c
> (gdb) bt
> #0 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206
> #1 0x000000000094f9d6 in bpf_object.collect_relos () at libbpf.c:6706
> #2 0x000000000092bef3 in bpf_object_open () at libbpf.c:7437
> #3 0x000000000092c046 in bpf_object.open_mem () at libbpf.c:7497
> #4 0x0000000000924afa in LLVMFuzzerTestOneInput () at fuzz/bpf-object-fuzzer.c:16
> #5 0x000000000060be11 in testblitz_engine::fuzzer::Fuzzer::run_one ()
> #6 0x000000000087ad92 in tracing::span::Span::in_scope ()
> #7 0x00000000006078aa in testblitz_engine::fuzzer::util::walkdir ()
> #8 0x00000000005f3217 in testblitz_engine::entrypoint::main::{{closure}} ()
> #9 0x00000000005f2601 in main ()
> (gdb)
>
> scn_data was null at this code(tools/lib/bpf/src/libbpf.c):
>
> if (rel->r_offset % BPF_INSN_SZ || rel->r_offset >= scn_data->d_size) {
>
> The scn_data is derived from the code above:
>
> scn = elf_sec_by_idx(obj, sec_idx);
> scn_data = elf_sec_data(obj, scn);
>
> relo_sec_name = elf_sec_str(obj, shdr->sh_name);
> sec_name = elf_sec_name(obj, scn);
> if (!relo_sec_name || !sec_name)// don't check whether scn_data is NULL
> return -EINVAL;
>
> In certain special scenarios, such as reading a malformed ELF file,
> it is possible that scn_data may be a null pointer
>
> The Linux kernel CVE team has assigned CVE-2023-52592 to this issue.
OK, so this one is quite interesting. This is a userspace tooling
gaining a kernel CVE. Is this just an omission or is this really
expected.
Also what is the security threat model here? If a malformed ELF file is
loaded then the process gets SEGV which is perfectly reasonable thing to
do.
Thanks!
--
Michal Hocko
SUSE Labs
next parent reply other threads:[~2024-03-07 10:08 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2024030645-CVE-2023-52592-4693@gregkh>
2024-03-07 9:58 ` Michal Hocko [this message]
2024-03-07 13:16 ` CVE-2023-52592: libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos Greg Kroah-Hartman
2024-03-07 14:56 ` Michal Hocko
2024-03-07 17:50 ` Andrii Nakryiko
2024-03-07 20:04 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZemPuxhM_ZZ-khTh@tiehlicka \
--to=mhocko@suse.com \
--cc=cve@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox