CVE-2024-35905

bpf: Protect against int overflow for stack access size

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

bpf: Protect against int overflow for stack access size

This patch re-introduces protection against the size of access to stack
memory being negative; the access size can appear negative as a result
of overflowing its signed int representation. This should not actually
happen, as there are other protections along the way, but we should
protect against it anyway. One code path was missing such protections
(fixed in the previous patch in the series), causing out-of-bounds array
accesses in check_stack_range_initialized(). This patch causes the
verification of a program with such a non-sensical access size to fail.

This check used to exist in a more indirect way, but was inadvertendly
removed in a833a17aeac7.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Protección contra desbordamiento int para el tamaño de acceso a la pila. Este parche reintroduce la protección contra que el tamaño de acceso a la memoria de la pila sea negativo; el tamaño de acceso puede parecer negativo como resultado de desbordar su representación int firmada. En realidad, esto no debería suceder, ya que existen otras protecciones en el camino, pero debemos protegernos contra ello de todos modos. A una ruta de código le faltaban dichas protecciones (corregidas en el parche anterior de la serie), lo que provocaba accesos a matrices fuera de los límites en check_stack_range_initialized(). Este parche hace que falle la verificación de un programa con un tamaño de acceso tan absurdo. Esta verificación solía existir de una manera más indirecta, pero se eliminó inadvertidamente en a833a17aeac7.

A flaw was found in the Linux kernel. An integer overflow vulnerability exists in the access size of a stack, such that the size of the access stack can appear negative as a result of overflowing its signed int representation. This issue can result in denial of service.

*Credits: N/A

CVSS Scores

Red Hatv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-17 CVE Reserved
2024-05-19 CVE Published
2024-05-20 EPSS Updated
2024-11-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (15)

URL	Tag	Source
https://git.kernel.org/stable/c/afea95d319ccb4ad2060dece9ac5e2e364dec543	Vuln. Introduced
https://git.kernel.org/stable/c/02962684258eb53f414a8a59854767be526e6abb	Vuln. Introduced
https://git.kernel.org/stable/c/b1d4d54d32ce6342f5faffe71bae736540ce7cb5	Vuln. Introduced
https://git.kernel.org/stable/c/08b91babccbb168353f8d43fea0ed28a4cad568c	Vuln. Introduced
https://git.kernel.org/stable/c/a833a17aeac73b33f79433d7cee68d5cafd71e4f	Vuln. Introduced
https://git.kernel.org/stable/c/1858b8a331937f3976d8482cd5f6e1f945294ad3	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/9970e059af471478455f9534e8c3db82f8c5496d	2024-04-13
https://git.kernel.org/stable/c/37dc1718dc0c4392dbfcb9adec22a776e745dd69	2024-04-10
https://git.kernel.org/stable/c/98cdac206b112bec63852e94802791e316acc2c1	2024-04-10
https://git.kernel.org/stable/c/3f0784b2f1eb9147973d8c43ba085c5fdf44ff69	2024-04-10
https://git.kernel.org/stable/c/203a68151e8eeb331d4a64ab78303f3a15faf103	2024-04-10
https://git.kernel.org/stable/c/ecc6a2101840177e57c925c102d2d29f260d37c8	2024-03-27

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-35905	2024-11-12
https://bugzilla.redhat.com/show_bug.cgi?id=2281651	2024-11-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.209 < 5.10.215 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.209 < 5.10.215"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.148 < 5.15.154 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.148 < 5.15.154"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.75 < 6.1.85 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.75 < 6.1.85"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.14 < 6.6.26 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.14 < 6.6.26"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.8 < 6.8.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.8 < 6.8.5"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.8 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.8 < 6.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.7.2 Search vendor "Linux" for product "Linux Kernel" and version "6.7.2"		en		Affected