2.9 KiB
CVE-2024-56702
Description
In the Linux kernel, the following vulnerability has been resolved:bpf: Mark raw_tp arguments with PTR_MAYBE_NULLArguments to a raw tracepoint are tagged as trusted, which carries thesemantics that the pointer will be non-NULL. However, in certain cases,a raw tracepoint argument may end up being NULL. More context about thisissue is available in [0].Thus, there is a discrepancy between the reality, that raw_tp argumentscan actually be NULL, and the verifier's knowledge, that they are neverNULL, causing explicit NULL checks to be deleted, and accesses to suchpointers potentially crashing the kernel.To fix this, mark raw_tp arguments as PTR_MAYBE_NULL, and then specialcase the dereference and pointer arithmetic to permit it, and allowpassing them into helpers/kfuncs; these exceptions are made for raw_tpprograms only. Ensure that we don't do this when ref_obj_id > 0, as inthat case this is an acquired object and doesn't need such adjustment.The reason we do mask_raw_tp_trusted_reg logic is because other willrecheck in places whether the register is a trusted_reg, and thenconsider our register as untrusted when detecting the presence of thePTR_MAYBE_NULL flag.To allow safe dereference, we enable PROBE_MEM marking when we see loadsinto trusted pointers with PTR_MAYBE_NULL.While trusted raw_tp arguments can also be passed into helpers or kfuncswhere such broken assumption may cause issues, a future patch set willtackle their case separately, as PTR_TO_BTF_ID (without PTR_TRUSTED) canalready be passed into helpers and causes similar problems. Thus, theyare left alone for now.It is possible that these checks also permit passing non-raw_tp argsthat are trusted PTR_TO_BTF_ID with null marking. In such a case,allowing dereference when pointer is NULL expands allowed behavior, sowon't regress existing programs, and the case of passing these intohelpers is the same as above and will be dealt with later.Also update the failure case in tp_btf_nullable selftest to capture thenew behavior, as the verifier will no longer cause an error whendirectly dereference a raw tracepoint argument marked as __nullable. [0]: https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csb
POC
Reference
No PoCs from references.