Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:arm64: probes: Fix uprobes for big-endian kernelsThe arm64 uprobes code is broken for big-endian kernels as it doesn'tconvert the in-memory instruction encoding (which is alwayslittle-endian) into the kernel's native endianness before analyzing andsimulating instructions. This may result in a few distinct problems:* The kernel may may erroneously reject probing an instruction which can safely be probed.* The kernel may erroneously erroneously permit stepping an instruction out-of-line when that instruction cannot be stepped out-of-line safely.* The kernel may erroneously simulate instruction incorrectly dur to interpretting the byte-swapped encoding.The endianness mismatch isn't caught by the compiler or sparse because:* The arch_uprobe::{insn,ixol} fields are encoded as arrays of u8, so the compiler and sparse have no idea these contain a little-endian 32-bit value. The core uprobes code populates these with a memcpy() which similarly does not handle endianness.* While the uprobe_opcode_t type is an alias for __le32, both arch_uprobe_analyze_insn() and arch_uprobe_skip_sstep() cast from u8[] to the similarly-named probe_opcode_t, which is an alias for u32. Hence there is no endianness conversion warning.Fix this by changing the arch_uprobe::{insn,ixol} fields to __le32 andadding the appropriate __le32_to_cpu() conversions prior to consumingthe instruction encoding. The core uprobes copies these fields as opaqueranges of bytes, and so is unaffected by this change.At the same time, remove MAX_UINSN_BYTES and consistently useAARCH64_INSN_SIZE for clarity.Tested with the following:| #include
No PoCs from references.
- https://github.com/w4zu/Debian_security