CVE-2023-52452

一、漏洞信息
 漏洞编号：[CVE-2023-52452](https://nvd.nist.gov/vuln/detail/CVE-2023-52452)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0
 CVSS V3.0分值：
  BaseScore：7.8 High
  Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:bpf: Fix accesses to uninit stack slotsPrivileged programs are supposed to be able to read uninitialized stackmemory (ever since 6715df8d5) but, before this patch, these accesseswere permitted inconsistently. In particular, accesses were permittedabove state->allocated_stack, but not below it. In other words, if thestack was already  large enough , the access was permitted, butotherwise the access was rejected instead of being allowed to  grow thestack . This undesired rejection was happening in two places:- in check_stack_slot_within_bounds()- in check_stack_range_initialized()This patch arranges for these accesses to be permitted. A bunch of teststhat were relying on the old rejection had to change; all of them werechanged to add also run unprivileged, in which case the old behaviorpersists. One tests couldn t be updated - global_func16 - because itcan t run unprivileged for other reasons.This patch also fixes the tracking of the stack size for variable-offsetreads. This second fix is bundled in the same commit as the first onebecause they re inter-related. Before this patch, writes to the stackusing registers containing a variable offset (as opposed to registerswith fixed, known values) were not properly contributing to thefunction s needed stack size. As a result, it was possible for a programto verify, but then to attempt to read out-of-bounds data at runtimebecause a too small stack had been allocated for it.Each function tracks the size of the stack it needs inbpf_subprog_info.stack_depth, which is maintained byupdate_stack_depth(). For regular memory accesses, check_mem_access()was calling update_state_depth() but it was passing in only the fixedpart of the offset register, ignoring the variable offset. This wasincorrect; the minimum possible value of that register should be usedinstead.This tracking is now fixed by centralizing the tracking of stack size ingrow_stack_state(), and by lifting the calls to grow_stack_state() tocheck_stack_access_within_bounds() as suggested by Andrii. The code isnow simpler and more convincingly tracks the correct maximum stack size.check_stack_range_initialized() can now rely on enough stack having beenallocated for the access; this helps with the fix for the first issue.A few tests were changed to also check the stack depth computation. Theone that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.
 漏洞公开时间：2024-02-23 01:15:08
 漏洞创建时间：2024-02-23 01:35:51
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2023-52452
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52452 | https://bugzilla.suse.com/show_bug.cgi?id=1220257 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2023-52452 | https://bugzilla.suse.com/show_bug.cgi?id=1220257 |
| suse_bugzilla | https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19 | https://bugzilla.suse.com/show_bug.cgi?id=1220257 |
| suse_bugzilla | https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529 | https://bugzilla.suse.com/show_bug.cgi?id=1220257 |
| suse_bugzilla | https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde | https://bugzilla.suse.com/show_bug.cgi?id=1220257 |
| cve_search |  | https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19 |
| cve_search |  | https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde |
| cve_search |  | https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529 |
| snyk | https://github.com/torvalds/linux/commit/6b4a64bafd107e521c01eec3453ce94a3fb38529 | https://security.snyk.io/vuln/SNYK-UNMANAGED-TORVALDSLINUX-6282359 |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde |  |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
|  |  | https://github.com/torvalds/linux/commit/6b4a64bafd107e521c01eec3453ce94a3fb38529 |  | snyk |
|  |  | https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19 |  | nvd |
|  |  | https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529 |  | nvd |
|  |  | https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde |  | nvd |
| linux_kernel | 6.6.14 | https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=0954982db8283016bf38e9db2da5adf47a102e19 | https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=01f810ace9ed3 | linuxkernelcves |
| linux_kernel | 6.7.2 | https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=fbcf372c8eda2290470268e0afb5ab5d5f5d5fde | https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=01f810ace9ed3 | linuxkernelcves |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
      In the Linux kernel, the following vulnerability has been resolved: bpf: Fix accesses to uninit stack slots Privileged programs are supposed to be able to read uninitialized stack memory (ever since 6715df8d5) but, before this patch, these accesses were permitted inconsistently. In particular, accesses were permitted above state->allocated_stack, but not below it. In other words, if the stack was already  large enough , the access was permitted, but otherwise the access was rejected instead of being allowed to  grow the stack . This undesired rejection was happening in two places: - in check_stack_slot_within_bounds() - in check_stack_range_initialized() This patch arranges for these accesses to be permitted. A bunch of tests that were relying on the old rejection had to change; all of them were changed to add also run unprivileged, in which case the old behavior persists. One tests couldn t be updated - global_func16 - because it can t run unprivileged for other reasons. This patch also fixes the tracking of the stack size for variable-offset reads. This second fix is bundled in the same commit as the first one because they re inter-related. Before this patch, writes to the stack using registers containing a variable offset (as opposed to registers with fixed, known values) were not properly contributing to the function s needed stack size. As a result, it was possible for a program to verify, but then to attempt to read out-of-bounds data at runtime because a too small stack had been allocated for it. Each function tracks the size of the stack it needs in bpf_subprog_info.stack_depth, which is maintained by update_stack_depth(). For regular memory accesses, check_mem_access() was calling update_state_depth() but it was passing in only the fixed part of the offset register, ignoring the variable offset. This was incorrect; the minimum possible value of that register should be used instead. This tracking is now fixed by centralizing the tracking of stack size in grow_stack_state(), and by lifting the calls to grow_stack_state() to check_stack_access_within_bounds() as suggested by Andrii. The code is now simpler and more convincingly tracks the correct maximum stack size. check_stack_range_initialized() can now rely on enough stack having been allocated for the access; this helps with the fix for the first issue. A few tests were changed to also check the stack depth computation. The one that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.  
 openEuler评分：
  7.8
 Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
 受影响版本排查(受影响/不受影响)：
  1.openEuler-22.03-LTS(5.10.0):受影响
2.openEuler-22.03-LTS-SP1(5.10.0):受影响
3.openEuler-22.03-LTS-SP2(5.10.0):受影响
4.openEuler-22.03-LTS-SP3:受影响
5.openEuler-22.03-LTS-Next(5.10.0):受影响
6.openEuler-20.03-LTS-SP1(4.19.90):不受影响
7.openEuler-20.03-LTS-SP4:不受影响
8.master(6.1.0):不受影响
9.openEuler-24.03-LTS:不受影响

修复是否涉及abi变化(是/否)：
  1.openEuler-20.03-LTS-SP1(4.19.90):否
2.openEuler-20.03-LTS-SP4:否
3.openEuler-22.03-LTS(5.10.0):否
4.openEuler-22.03-LTS-SP1(5.10.0):否
5.openEuler-22.03-LTS-SP2(5.10.0):否
6.openEuler-22.03-LTS-SP3:否
7.master(6.1.0):否
8.openEuler-22.03-LTS-Next(5.10.0):否
9.openEuler-24.03-LTS:否

三、漏洞修复
安全公告链接：https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2024-1301

src-openEuler/kernel
Closed

Content Risk Flag

Comments (8)

src-openEuler/kernelClosed .gitee-modal { width: 500px !important; }

Content Risk Flag

CVE-2023-52452

Comments (8)

Search

src-openEuler/kernel
Closed