Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:net: Add rx_skb of kfree_skb to raw_tp_null_args[].Yan Zhai reported a BPF prog could trigger a null-ptr-deref [0]in trace_kfree_skb if the prog does not check if rx_sk is NULL.Commit c53795d48ee8 ("net: add rx_sk to trace_kfree_skb") addedrx_sk to trace_kfree_skb, but rx_sk is optional and could be NULL.Let's add kfree_skb to raw_tp_null_args[] to let the BPF verifiervalidate such a prog and prevent the issue.Now we fail to load such a prog: libbpf: prog 'drop': -- BEGIN PROG LOAD LOG -- 0: R1=ctx() R10=fp0 ; int BPF_PROG(drop, struct sk_buff *skb, void *location, @ kfree_skb_sk_null.bpf.c:21 0: (79) r3 = *(u64 *)(r1 +24) func 'kfree_skb' arg3 has btf_id 5253 type STRUCT 'sock' 1: R1=ctx() R3_w=trusted_ptr_or_null_sock(id=1) ; bpf_printk("sk: %d, %d\n", sk, sk->__sk_common.skc_family); @ kfree_skb_sk_null.bpf.c:24 1: (69) r4 = *(u16 *)(r3 +16) R3 invalid mem access 'trusted_ptr_or_null_' processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 -- END PROG LOAD LOG --Note this fix requires commit 838a10bd2ebf ("bpf: Augment raw_tparguments with PTR_MAYBE_NULL").[0]:BUG: kernel NULL pointer dereference, address: 0000000000000010 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present pagePGD 0 P4D 0PREEMPT SMPRIP: 0010:bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2dCall Trace:
No PoCs from references.
- https://github.com/fkie-cad/nvd-json-data-feeds