CVE-2024-42063 Information

Description

In the Linux kernel the following vulnerability has been resolved:

bpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter mode

syzbot reported uninit memory usages during map_lookupdelete_elem.

========== BUG: KMSAN: uninit-value in __dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline] BUG: KMSAN: uninit-value in dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796 __dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline] dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796 ____bpf_map_lookup_elem kernel/bpf/helpers.c:42 [inline] bpf_map_lookup_elem+0x5c/0x80 kernel/bpf/helpers.c:38 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997 __bpf_prog_run256+0xb5/0xe0 kernel/bpf/core.c:2237

The reproducer should be in the interpreter mode.

The C reproducer is trying to run the following bpf prog:

0: (18) r0 = 0x0
2: (18) r1 = map[id:49]
4: (b7) r8 = 16777216
5: (7b) (u64 )(r10 -8) = r8
6: (bf) r2 = r10
7: (07) r2 += -229
        ^^^^^^^^^^

8: (b7) r3 = 8
9: (b7) r4 = 0

10: (85) call dev_map_lookup_elem1543472 11: (95) exit

It is due to the oid key\ (r2) passed to the helper. bpf allows uninit stack memory access for bpf prog with the right privileges. This patch uses kmsan_unpoison_memory() to mark the stack as initialized.

This should address different syzbot reports on the uninit oid key\nargument during map_lookupdelete_elem.

Reference

https://git.kernel.org/stable/c/b30f3197a6cd080052d5d4973f9a6b479fd9fff5 https://git.kernel.org/stable/c/d812ae6e02bd6e6a9cd1fdb09519c2f33e875faf https://git.kernel.org/stable/c/3189983c26108cf0990e5c46856dc9feb9470d12 https://git.kernel.org/stable/c/e8742081db7d01f980c6161ae1e8a1dbc1e30979