CVE-2024-41003

一、漏洞信息
 漏洞编号：[CVE-2024-41003](https://nvd.nist.gov/vuln/detail/CVE-2024-41003)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0,6.6.0
 CVSS V2.0分值：
  BaseScore：0.0 Low
  Vector：CVSS：2.0/
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:bpf: Fix reg_set_min_max corruption of fake_regJuan reported that after doing some changes to buzzer [0] and implementinga new fuzzing strategy guided by coverage, they noticed the following inone of the probes:  [...]  13: (79) r6 = *(u64 *)(r0 +0)         ; R0=map_value(ks=4,vs=8) R6_w=scalar()  14: (b7) r0 = 0                       ; R0_w=0  15: (b4) w0 = -1                      ; R0_w=0xffffffff  16: (74) w0 >>= 1                     ; R0_w=0x7fffffff  17: (5c) w6 &= w0                     ; R0_w=0x7fffffff R6_w=scalar(smin=smin32=0,smax=umax=umax32=0x7fffffff,var_off=(0x0; 0x7fffffff))  18: (44) w6 |= 2                      ; R6_w=scalar(smin=umin=smin32=umin32=2,smax=umax=umax32=0x7fffffff,var_off=(0x2; 0x7ffffffd))  19: (56) if w6 != 0x7ffffffd goto pc+1  REG INVARIANTS VIOLATION (true_reg2): range bounds violation u64=[0x7fffffff, 0x7ffffffd] s64=[0x7fffffff, 0x7ffffffd] u32=[0x7fffffff, 0x7ffffffd] s32=[0x7fffffff, 0x7ffffffd] var_off=(0x7fffffff, 0x0)  REG INVARIANTS VIOLATION (false_reg1): range bounds violation u64=[0x7fffffff, 0x7ffffffd] s64=[0x7fffffff, 0x7ffffffd] u32=[0x7fffffff, 0x7ffffffd] s32=[0x7fffffff, 0x7ffffffd] var_off=(0x7fffffff, 0x0)  REG INVARIANTS VIOLATION (false_reg2): const tnum out of sync with range bounds u64=[0x0, 0xffffffffffffffff] s64=[0x8000000000000000, 0x7fffffffffffffff] u32=[0x0, 0xffffffff] s32=[0x80000000, 0x7fffffff] var_off=(0x7fffffff, 0x0)  19: R6_w=0x7fffffff  20: (95) exit  from 19 to 21: R0=0x7fffffff R6=scalar(smin=umin=smin32=umin32=2,smax=umax=smax32=umax32=0x7ffffffe,var_off=(0x2; 0x7ffffffd)) R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm  21: R0=0x7fffffff R6=scalar(smin=umin=smin32=umin32=2,smax=umax=smax32=umax32=0x7ffffffe,var_off=(0x2; 0x7ffffffd)) R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm  21: (14) w6 -= 2147483632             ; R6_w=scalar(smin=umin=umin32=2,smax=umax=0xffffffff,smin32=0x80000012,smax32=14,var_off=(0x2; 0xfffffffd))  22: (76) if w6 s>= 0xe goto pc+1      ; R6_w=scalar(smin=umin=umin32=2,smax=umax=0xffffffff,smin32=0x80000012,smax32=13,var_off=(0x2; 0xfffffffd))  23: (95) exit  from 22 to 24: R0=0x7fffffff R6_w=14 R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm  24: R0=0x7fffffff R6_w=14 R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm  24: (14) w6 -= 14                     ; R6_w=0  [...]What can be seen here is a register invariant violation on line 19. Afterthe binary-or in line 18, the verifier knows that bit 2 is set but knowsnothing about the rest of the content which was loaded from a map value,meaning, range is [2,0x7fffffff] with var_off=(0x2; 0x7ffffffd). When inline 19 the verifier analyzes the branch, it splits the register statesin reg_set_min_max() into the registers of the true branch (true_reg1,true_reg2) and the registers of the false branch (false_reg1, false_reg2).Since the test is w6 != 0x7ffffffd, the src_reg is a known constant.Internally, the verifier creates a  fake  register initialized as scalarto the value of 0x7ffffffd, and then passes it onto reg_set_min_max(). Now,for line 19, it is mathematically impossible to take the false branch ofthis program, yet the verifier analyzes it. It is impossible because thesecond bit of r6 will be set due to the prior or operation and theconstant in the condition has that bit unset (hex(fd) == binary(1111 1101).When the verifier first analyzes the false / fall-through branch, it willcompute an intersection between the var_off of r6 and of the constant. Thisis because the verifier creates a  fake  register initialized to the valueof the constant. The intersection result later refines both registers inregs_refine_cond_op():  [...]  t = tnum_intersect(tnum_subreg(reg1->var_off), tnum_subreg(reg2->var_off));  reg1->var_o---truncated---
 漏洞公开时间：2024-07-12 21:15:21
 漏洞创建时间：2024-07-14 10:24:29
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2024-41003
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/41e8ab428a9964df378fa45760a660208712145b |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/92424801261d1564a0bb759da3cf3ccd69fdf5a2 |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-41003 | https://bugzilla.suse.com/show_bug.cgi?id=1227850 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2024-41003 | https://bugzilla.suse.com/show_bug.cgi?id=1227850 |
| suse_bugzilla | https://git.kernel.org/stable/c/41e8ab428a9964df378fa45760a660208712145b | https://bugzilla.suse.com/show_bug.cgi?id=1227850 |
| suse_bugzilla | https://git.kernel.org/stable/c/92424801261d1564a0bb759da3cf3ccd69fdf5a2 | https://bugzilla.suse.com/show_bug.cgi?id=1227850 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-41003.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1227850 |
| ubuntu | https://www.cve.org/CVERecord?id=CVE-2024-41003 | https://ubuntu.com/security/CVE-2024-41003 |
| ubuntu | https://git.kernel.org/linus/92424801261d1564a0bb759da3cf3ccd69fdf5a2 (6.10-rc5) | https://ubuntu.com/security/CVE-2024-41003 |
| ubuntu | https://git.kernel.org/stable/c/41e8ab428a9964df378fa45760a660208712145b | https://ubuntu.com/security/CVE-2024-41003 |
| ubuntu | https://git.kernel.org/stable/c/92424801261d1564a0bb759da3cf3ccd69fdf5a2 | https://ubuntu.com/security/CVE-2024-41003 |
| ubuntu | https://nvd.nist.gov/vuln/detail/CVE-2024-41003 | https://ubuntu.com/security/CVE-2024-41003 |
| ubuntu | https://launchpad.net/bugs/cve/CVE-2024-41003 | https://ubuntu.com/security/CVE-2024-41003 |
| ubuntu | https://security-tracker.debian.org/tracker/CVE-2024-41003 | https://ubuntu.com/security/CVE-2024-41003 |
| debian |  | https://security-tracker.debian.org/tracker/CVE-2024-41003 |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  其它
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
| linux |  | https://git.kernel.org/linus/92424801261d1564a0bb759da3cf3ccd69fdf5a2 | https://git.kernel.org/linus/67420501e8681ae18f9f0ea0a69cd2f432100e70 | ubuntu |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
    Reserved. 
 openEuler评分：
  3.9
 Vector：CVSS：2.0/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
 受影响版本排查(受影响/不受影响)：
  1.openEuler-20.03-LTS-SP4(4.19.90):不受影响
2.openEuler-22.03-LTS-SP1(5.10.0):不受影响
3.openEuler-22.03-LTS-SP3(5.10.0):不受影响
4.openEuler-22.03-LTS-SP4(5.10.0):不受影响
5.master(6.1.0):不受影响
6.openEuler-24.03-LTS(6.6.0):不受影响
7.openEuler-24.03-LTS-Next(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.openEuler-20.03-LTS-SP4(4.19.90):否
2.openEuler-22.03-LTS-SP1(5.10.0):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.master(6.1.0):否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-22.03-LTS-SP4(5.10.0):否

@yangyingliang ,@jiaoff ,@guohaocs2c ,@hanjun-guo ,@woqidaideshi ,@newbeats ,@zhangyi089 ,@colyli ,@thundertown ,@htforge ,@chiqijun ,@lengchao ,@zhujianwei001 ,@kylin-mayukun ,@wangxiongfeng ,@wkfxxx ,@SuperSix173 ,@jentlestea ,@oskernel0719 ,@gasonchen 
**issue处理注意事项:** 
**1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;**
**2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;**
**3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, openEuler评分, 受影响版本排查(受影响/不受影响), 修复是否涉及abi变化(是/否))不能省略,省略后cve-manager将无法正常解析填写内容.**
************************************************************************
影响性分析说明:

openEuler评分: (评分和向量)

受影响版本排查(受影响/不受影响): 
1.master(6.1.0):
2.openEuler-20.03-LTS-SP4(4.19.90):
3.openEuler-22.03-LTS-SP1(5.10.0):
4.openEuler-22.03-LTS-SP3(5.10.0):
5.openEuler-22.03-LTS-SP4(5.10.0):
6.openEuler-24.03-LTS(6.6.0):
7.openEuler-24.03-LTS-Next(6.6.0):

修复是否涉及abi变化(是/否)：
1.master(6.1.0):
2.openEuler-20.03-LTS-SP4(4.19.90):
3.openEuler-22.03-LTS-SP1(5.10.0):
4.openEuler-22.03-LTS-SP3(5.10.0):
5.openEuler-22.03-LTS-SP4(5.10.0):
6.openEuler-24.03-LTS(6.6.0):
7.openEuler-24.03-LTS-Next(6.6.0):

-----------------------------------------------------------------------
issue处理具体操作请参考: 
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

<table><tr><th white-space: nowrap;>参考网址</th> <th white-space: nowrap;>关联pr</th> <th white-space: nowrap;>状态</th> <th white-space: nowrap;>补丁链接</th></tr><tr><td rowspan="1">https://nvd.nist.gov/vuln/detail/CVE-2024-41003</td><td>None</td><td>None</td><td><a href=https://git.kernel.org/stable/c/92424801261d1564a0bb759da3cf3ccd69fdf5a2>https://git.kernel.org/stable/c/92424801261d1564a0bb759da3cf3ccd69fdf5a2</a><br /><a href=https://git.kernel.org/stable/c/41e8ab428a9964df378fa45760a660208712145b>https://git.kernel.org/stable/c/41e8ab428a9964df378fa45760a660208712145b</a></td></tr><tr><td rowspan="1">https://ubuntu.com/security/CVE-2024-41003</td><td>None</td><td>None</td><td><a href=https://discourse.ubuntu.com/c/ubuntu-pro>https://discourse.ubuntu.com/c/ubuntu-pro</a></td></tr><tr><td rowspan="1">https://www.opencve.io/cve/CVE-2024-41003</td><td>None</td><td>None</td><td><a href=https://git.kernel.org/stable/c/92424801261d1564a0bb759da3cf3ccd69fdf5a2>https://git.kernel.org/stable/c/92424801261d1564a0bb759da3cf3ccd69fdf5a2</a><br /><a href=https://git.kernel.org/stable/c/41e8ab428a9964df378fa45760a660208712145b>https://git.kernel.org/stable/c/41e8ab428a9964df378fa45760a660208712145b</a></td></tr><tr><td>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-41003</td><td></td><td></td><td></td></tr><tr><td rowspan="1">https://security-tracker.debian.org/tracker/CVE-2024-41003</td><td>None</td><td>None</td><td><a href=https://git.kernel.org/linus/92424801261d1564a0bb759da3cf3ccd69fdf5a2>https://git.kernel.org/linus/92424801261d1564a0bb759da3cf3ccd69fdf5a2</a></td></tr></table>

> 说明：补丁链接仅供初步排查参考，实际可用性请人工再次确认，补丁下载验证可使用[CVE补丁工具](https://gitee.com/openeuler/cve-manager/blob/master/cve-agency-manager/cve_tracking/README.md)。
若补丁不准确，烦请在此issue下评论 '/report-patch 参考网址 补丁链接1,补丁链接2' 反馈正确信息，便于我们不断优化工具，不胜感激。
如 /report-patch https://security-tracker.debian.org/tracker/CVE-2021-3997 https://github.com/systemd/systemd/commit/5b1cf7a9be37e20133c0208005274ce4a5b5c6a1

CVE-2024-41003

影响性分析说明：
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix reg_set_min_max corruption of fake_reg

Juan reported that after doing some changes to buzzer [0] and implementing
a new fuzzing strategy guided by coverage, they noticed the following in
one of the probes:

[...]
  13: (79) r6 = *(u64 *)(r0 +0)         ; R0=map_value(ks=4,vs=8) R6_w=scalar()
  14: (b7) r0 = 0                       ; R0_w=0
  15: (b4) w0 = -1                      ; R0_w=0xffffffff
  16: (74) w0 &gt;&gt;= 1                     ; R0_w=0x7fffffff
  17: (5c) w6 &#38;= w0                     ; R0_w=0x7fffffff R6_w=scalar(smin=smin32=0,smax=umax=umax32=0x7fffffff,var_off=(0x0; 0x7fffffff))
  18: (44) w6 |= 2                      ; R6_w=scalar(smin=umin=smin32=umin32=2,smax=umax=umax32=0x7fffffff,var_off=(0x2; 0x7ffffffd))
  19: (56) if w6 != 0x7ffffffd goto pc+1
  REG INVARIANTS VIOLATION (true_reg2): range bounds violation u64=[0x7fffffff, 0x7ffffffd] s64=[0x7fffffff, 0x7ffffffd] u32=[0x7fffffff, 0x7ffffffd] s32=[0x7fffffff, 0x7ffffffd] var_off=(0x7fffffff, 0x0)
  REG INVARIANTS VIOLATION (false_reg1): range bounds violation u64=[0x7fffffff, 0x7ffffffd] s64=[0x7fffffff, 0x7ffffffd] u32=[0x7fffffff, 0x7ffffffd] s32=[0x7fffffff, 0x7ffffffd] var_off=(0x7fffffff, 0x0)
  REG INVARIANTS VIOLATION (false_reg2): const tnum out of sync with range bounds u64=[0x0, 0xffffffffffffffff] s64=[0x8000000000000000, 0x7fffffffffffffff] u32=[0x0, 0xffffffff] s32=[0x80000000, 0x7fffffff] var_off=(0x7fffffff, 0x0)
  19: R6_w=0x7fffffff
  20: (95) exit

from 19 to 21: R0=0x7fffffff R6=scalar(smin=umin=smin32=umin32=2,smax=umax=smax32=umax32=0x7ffffffe,var_off=(0x2; 0x7ffffffd)) R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm
  21: R0=0x7fffffff R6=scalar(smin=umin=smin32=umin32=2,smax=umax=smax32=umax32=0x7ffffffe,var_off=(0x2; 0x7ffffffd)) R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm
  21: (14) w6 -= 2147483632             ; R6_w=scalar(smin=umin=umin32=2,smax=umax=0xffffffff,smin32=0x80000012,smax32=14,var_off=(0x2; 0xfffffffd))
  22: (76) if w6 s&gt;= 0xe goto pc+1      ; R6_w=scalar(smin=umin=umin32=2,smax=umax=0xffffffff,smin32=0x80000012,smax32=13,var_off=(0x2; 0xfffffffd))
  23: (95) exit

from 22 to 24: R0=0x7fffffff R6_w=14 R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm
  24: R0=0x7fffffff R6_w=14 R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm
  24: (14) w6 -= 14                     ; R6_w=0
  [...]

What can be seen here is a register invariant violation on line 19. After
the binary-or in line 18, the verifier knows that bit 2 is set but knows
nothing about the rest of the content which was loaded from a map value,
meaning, range is [2,0x7fffffff] with var_off=(0x2; 0x7ffffffd). When in
line 19 the verifier analyzes the branch, it splits the register states
in reg_set_min_max() into the registers of the true branch (true_reg1,
true_reg2) and the registers of the false branch (false_reg1, false_reg2).

Since the test is w6 != 0x7ffffffd, the src_reg is a known constant.
Internally, the verifier creates a &#34;fake&#34; register initialized as scalar
to the value of 0x7ffffffd, and then passes it onto reg_set_min_max(). Now,
for line 19, it is mathematically impossible to take the false branch of
this program, yet the verifier analyzes it. It is impossible because the
second bit of r6 will be set due to the prior or operation and the
constant in the condition has that bit unset (hex(fd) == binary(1111 1101).

When the verifier first analyzes the false / fall-through branch, it will
compute an intersection between the var_off of r6 and of the constant. This
is because the verifier creates a &#34;fake&#34; register initialized to the value
of the constant. The intersection result later refines both registers in
regs_refine_cond_op():

[...]
  t = tnum_intersect(tnum_subreg(reg1-&gt;var_off), tnum_subreg(reg2-&gt;var_off));
  reg1-&gt;var_off = tnum_with_subreg(reg1-&gt;var_off, t);
  reg2-&gt;var_off = tnum_with_subreg(reg2-&gt;var_off, t);
  [...]

Since the verifier is analyzing the false branch of the conditional jump,
reg1 is equal to false_reg1 and reg2 is equal to false_reg2, i.e. the reg2
is the &#34;fake&#34; register that was meant to hold a constant value. The resulting
var_off of the intersection says that both registers now hold a known value
of var_off=(0x7fffffff, 0x0) or in other words: this operation manages to
make the verifier think that the &#34;constant&#34; value that was passed in the
jump operation now holds a different value.

Normally this would not be an issue since it should not influence the true
branch, however, false_reg2 and true_reg2 are pointers to the same &#34;fake&#34;
register. Meaning, the false branch can influence the results of the true
branch. In line 24, the verifier assumes R6_w=0, but the actual runtime
value in this case is 1. The fix is simply not passing in the same &#34;fake&#34;
register location as inputs to reg_set_min_max(), but instead making a
copy. Moving the fake_reg into the env also reduces stack consumption by
120 bytes. With this, the verifier successfully rejects invalid accesses
from the test program.

[0] <a
href="https://github.com/google/buzzer">https://github.com/google/buzzer</a>

The Linux kernel CVE team has assigned CVE-2024-41003 to this issue.

openEuler评分:(评分和向量)
3.9
AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

受影响版本排查(受影响/不受影响):
1.openEuler-20.03-LTS-SP4:不受影响
2.openEuler-22.03-LTS-SP1:不受影响
3.openEuler-22.03-LTS-SP3:不受影响
4.openEuler-22.03-LTS-SP4:不受影响
5.master(6.1.0):不受影响
6.openEuler-24.03-LTS:不受影响
7.openEuler-24.03-LTS-Next:不受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP4:否
2.openEuler-22.03-LTS-SP1:否
3.openEuler-22.03-LTS-SP3:否
4.master(6.1.0):否
5.openEuler-24.03-LTS:否
6.openEuler-24.03-LTS-Next:否
7.openEuler-22.03-LTS-SP4:否

@ 经过 cve-manager 解析, 已分析的内容如下表所示:
| 状态  | 需分析 | 内容 |
|:--:|:--:|---------|
|已分析|1.影响性分析说明|In the Linux kernel, the following vulnerability has been resolved:bpf: Fix reg_set_min_max corruption of fake_regJuan reported that after doing some changes to buzzer [0] and implementinga new fuzzing strategy guided by coverage, they noticed the following inone of the probes:  [...]  13: (79) r6 = *(u64 *)(r0 +0)         ; R0=map_value(ks=4,vs=8) R6_w=scalar()  14: (b7) r0 = 0                       ; R0_w=0  15: (b4) w0 = -1                      ; R0_w=0xffffffff  16: (74) w0 &gt;&gt;= 1                     ; R0_w=0x7fffffff  17: (5c) w6 &#38;= w0                     ; R0_w=0x7fffffff R6_w=scalar(smin=smin32=0,smax=umax=umax32=0x7fffffff,var_off=(0x0; 0x7fffffff))  18: (44) w6 |= 2                      ; R6_w=scalar(smin=umin=smin32=umin32=2,smax=umax=umax32=0x7fffffff,var_off=(0x2; 0x7ffffffd))  19: (56) if w6 != 0x7ffffffd goto pc+1  REG INVARIANTS VIOLATION (true_reg2): range bounds violation u64=[0x7fffffff, 0x7ffffffd] s64=[0x7fffffff, 0x7ffffffd] u32=[0x7fffffff, 0x7ffffffd] s32=[0x7fffffff, 0x7ffffffd] var_off=(0x7fffffff, 0x0)  REG INVARIANTS VIOLATION (false_reg1): range bounds violation u64=[0x7fffffff, 0x7ffffffd] s64=[0x7fffffff, 0x7ffffffd] u32=[0x7fffffff, 0x7ffffffd] s32=[0x7fffffff, 0x7ffffffd] var_off=(0x7fffffff, 0x0)  REG INVARIANTS VIOLATION (false_reg2): const tnum out of sync with range bounds u64=[0x0, 0xffffffffffffffff] s64=[0x8000000000000000, 0x7fffffffffffffff] u32=[0x0, 0xffffffff] s32=[0x80000000, 0x7fffffff] var_off=(0x7fffffff, 0x0)  19: R6_w=0x7fffffff  20: (95) exit  from 19 to 21: R0=0x7fffffff R6=scalar(smin=umin=smin32=umin32=2,smax=umax=smax32=umax32=0x7ffffffe,var_off=(0x2; 0x7ffffffd)) R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm  21: R0=0x7fffffff R6=scalar(smin=umin=smin32=umin32=2,smax=umax=smax32=umax32=0x7ffffffe,var_off=(0x2; 0x7ffffffd)) R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm  21: (14) w6 -= 2147483632             ; R6_w=scalar(smin=umin=umin32=2,smax=umax=0xffffffff,smin32=0x80000012,smax32=14,var_off=(0x2; 0xfffffffd))  22: (76) if w6 s&gt;= 0xe goto pc+1      ; R6_w=scalar(smin=umin=umin32=2,smax=umax=0xffffffff,smin32=0x80000012,smax32=13,var_off=(0x2; 0xfffffffd))  23: (95) exit  from 22 to 24: R0=0x7fffffff R6_w=14 R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm  24: R0=0x7fffffff R6_w=14 R7=map_ptr(ks=4,vs=8) R9=ctx() R10=fp0 fp-24=map_ptr(ks=4,vs=8) fp-40=mmmmmmmm  24: (14) w6 -= 14                     ; R6_w=0  [...]What can be seen here is a register invariant violation on line 19. Afterthe binary-or in line 18, the verifier knows that bit 2 is set but knowsnothing about the rest of the content which was loaded from a map value,meaning, range is [2,0x7fffffff] with var_off=(0x2; 0x7ffffffd). When inline 19 the verifier analyzes the branch, it splits the register statesin reg_set_min_max() into the registers of the true branch (true_reg1,true_reg2) and the registers of the false branch (false_reg1, false_reg2).Since the test is w6 != 0x7ffffffd, the src_reg is a known constant.Internally, the verifier creates a &#34;fake&#34; register initialized as scalarto the value of 0x7ffffffd, and then passes it onto reg_set_min_max(). Now,for line 19, it is mathematically impossible to take the false branch ofthis program, yet the verifier analyzes it. It is impossible because thesecond bit of r6 will be set due to the prior or operation and theconstant in the condition has that bit unset (hex(fd) == binary(1111 1101).When the verifier first analyzes the false / fall-through branch, it willcompute an intersection between the var_off of r6 and of the constant. Thisis because the verifier creates a &#34;fake&#34; register initialized to the valueof the constant. The intersection result later refines both registers inregs_refine_cond_op():  [...]  t = tnum_intersect(tnum_subreg(reg1-&gt;var_off), tnum_subreg(reg2-&gt;var_off));  reg1-&gt;var_off = tnum_with_subreg(reg1-&gt;var_off, t);  reg2-&gt;var_off = tnum_with_subreg(reg2-&gt;var_off, t);  [...]Since the verifier is analyzing the false branch of the conditional jump,reg1 is equal to false_reg1 and reg2 is equal to false_reg2, i.e. the reg2is the &#34;fake&#34; register that was meant to hold a constant value. The resultingvar_off of the intersection says that both registers now hold a known valueof var_off=(0x7fffffff, 0x0) or in other words: this operation manages tomake the verifier think that the &#34;constant&#34; value that was passed in thejump operation now holds a different value.Normally this would not be an issue since it should not influence the truebranch, however, false_reg2 and true_reg2 are pointers to the same &#34;fake&#34;register. Meaning, the false branch can influence the results of the truebranch. In line 24, the verifier assumes R6_w=0, but the actual runtimevalue in this case is 1. The fix is simply not passing in the same &#34;fake&#34;register location as inputs to reg_set_min_max(), but instead making acopy. Moving the fake_reg into the env also reduces stack consumption by120 bytes. With this, the verifier successfully rejects invalid accessesfrom the test program.  [0] <ahref="https://github.com/google/buzzer">https://github.com/google/buzzer</a>The Linux kernel CVE team has assigned CVE-2024-41003 to this issue.|
|已分析|2.openEulerScore|3.9|
|已分析|3.openEulerVector|AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L|
|已分析|4.受影响版本排查|openEuler-20.03-LTS-SP4:不受影响,openEuler-22.03-LTS-SP1:不受影响,openEuler-22.03-LTS-SP3:不受影响,openEuler-22.03-LTS-SP4:不受影响,master:不受影响,openEuler-24.03-LTS:不受影响,openEuler-24.03-LTS-Next:不受影响|
|已分析|5.修复是否涉及abi变化|openEuler-20.03-LTS-SP4:否,openEuler-22.03-LTS-SP1:否,openEuler-22.03-LTS-SP3:否,master:否,openEuler-24.03-LTS:否,openEuler-24.03-LTS-Next:否,openEuler-22.03-LTS-SP4:否|

**请确认分析内容的准确性, 确认无误后, 您可以进行后续步骤, 否则您可以继续分析.**

src-openEuler/kernel

内容风险标识

评论 (7)

src-openEuler/kernel .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2024-41003

评论 (7)

搜索帮助

src-openEuler/kernel