CVE-2024-26884

bpf: Fix hashtab overflow check on 32-bit arches

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix hashtab overflow check on 32-bit arches

The hashtab code relies on roundup_pow_of_two() to compute the number of
hash buckets, and contains an overflow check by checking if the
resulting value is 0. However, on 32-bit arches, the roundup code itself
can overflow by doing a 32-bit left-shift of an unsigned long value,
which is undefined behaviour, so it is not guaranteed to truncate
neatly. This was triggered by syzbot on the DEVMAP_HASH type, which
contains the same check, copied from the hashtab code. So apply the same
fix to hashtab, by moving the overflow check to before the roundup.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: corrige la comprobación de desbordamiento de hashtab en arcos de 32 bits. El código hashtab se basa en roundup_pow_of_two() para calcular el número de depósitos de hash y contiene una comprobación de desbordamiento comprobando si el valor resultante es 0. Sin embargo, en arcos de 32 bits, el código de resumen en sí puede desbordarse al realizar un desplazamiento hacia la izquierda de 32 bits de un valor largo sin signo, lo cual es un comportamiento indefinido, por lo que no se garantiza que se trunque claramente. Esto fue activado por syzbot en el tipo DEVMAP_HASH, que contiene la misma verificación, copiada del código hashtab. Así que aplique la misma solución a hashtab, moviendo la verificación de desbordamiento antes del resumen.

*Credits: N/A

CVSS Scores

NISTv3.1 7.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-17 CVE Published
2024-04-30 EPSS Updated
2024-11-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-190: Integer Overflow or Wraparound

CAPEC

References (12)

URL	Tag	Source
https://git.kernel.org/stable/c/daaf427c6ab392bedcd018e326b2ffa1e1110cd6	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/33ec04cadb77605b71d9298311919303d390c4d5	2024-03-26
https://git.kernel.org/stable/c/92c81fbb3ed2e0dfc33a4183a67135e1ab566ace	2024-03-26
https://git.kernel.org/stable/c/64f00b4df0597590b199b62a37a165473bf658a6	2024-03-26
https://git.kernel.org/stable/c/3b08cfc65f07b1132c1979d73f014ae6e04de55d	2024-03-26
https://git.kernel.org/stable/c/a83fdaeaea3677b83a53f72ace2d73a19bcd6d93	2024-03-26
https://git.kernel.org/stable/c/8435f0961bf3dc65e204094349bd9aeaac1f8868	2024-03-26
https://git.kernel.org/stable/c/d817f0d34d927f2deb17dadbfe212c9a6a32ac3e	2024-03-26
https://git.kernel.org/stable/c/a6fa75b5096c0f9826a4fabe22d907b0a5bb1016	2024-03-26
https://git.kernel.org/stable/c/6787d916c2cf9850c97a0a3f73e08c43e7d973b1	2024-03-08

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.19 < 4.19.311 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 4.19.311"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.19 < 5.4.273 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 5.4.273"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.19 < 5.10.214 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 5.10.214"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.19 < 5.15.153 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 5.15.153"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.19 < 6.1.83 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 6.1.83"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.19 < 6.6.23 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 6.6.23"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.19 < 6.7.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 6.7.11"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.19 < 6.8.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 6.8.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.19 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 6.9"		en		Affected