代码拉取完成,页面将自动刷新
一、漏洞信息
漏洞编号:CVE-2024-56702
漏洞归属组件:kernel
漏洞归属的版本:4.19.140,4.19.194,4.19.90,5.10.0,6.1.19,6.4.0,6.6.0
CVSS V3.0分值:
BaseScore:0.0 None
Vector:CVSS:3.0/
漏洞简述:
In the Linux kernel, the following vulnerability has been resolved:bpf: Mark raw_tp arguments with PTR_MAYBE_NULLArguments to a raw tracepoint are tagged as trusted, which carries thesemantics that the pointer will be non-NULL. However, in certain cases,a raw tracepoint argument may end up being NULL. More context about thisissue is available in [0].Thus, there is a discrepancy between the reality, that raw_tp argumentscan actually be NULL, and the verifier s knowledge, that they are neverNULL, causing explicit NULL checks to be deleted, and accesses to suchpointers potentially crashing the kernel.To fix this, mark raw_tp arguments as PTR_MAYBE_NULL, and then specialcase the dereference and pointer arithmetic to permit it, and allowpassing them into helpers/kfuncs; these exceptions are made for raw_tpprograms only. Ensure that we don t do this when ref_obj_id > 0, as inthat case this is an acquired object and doesn t need such adjustment.The reason we do mask_raw_tp_trusted_reg logic is because other willrecheck in places whether the register is a trusted_reg, and thenconsider our register as untrusted when detecting the presence of thePTR_MAYBE_NULL flag.To allow safe dereference, we enable PROBE_MEM marking when we see loadsinto trusted pointers with PTR_MAYBE_NULL.While trusted raw_tp arguments can also be passed into helpers or kfuncswhere such broken assumption may cause issues, a future patch set willtackle their case separately, as PTR_TO_BTF_ID (without PTR_TRUSTED) canalready be passed into helpers and causes similar problems. Thus, theyare left alone for now.It is possible that these checks also permit passing non-raw_tp argsthat are trusted PTR_TO_BTF_ID with null marking. In such a case,allowing dereference when pointer is NULL expands allowed behavior, sowon t regress existing programs, and the case of passing these intohelpers is the same as above and will be dealt with later.Also update the failure case in tp_btf_nullable selftest to capture thenew behavior, as the verifier will no longer cause an error whendirectly dereference a raw tracepoint argument marked as __nullable. [0]: https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csb
漏洞公开时间:2024-12-28 18:15:17
漏洞创建时间:2024-12-28 18:32:45
漏洞详情参考链接:
https://nvd.nist.gov/vuln/detail/CVE-2024-56702
| 参考来源 | 参考链接 | 来源链接 |
|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/3634d4a310820567fc634bf8f1ee2b91378773e8 | |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/c9b91d2d54175f781ad2c361cb2ac2c0e29b14b6 | |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/cb4158ce8ec8a5bb528cc1693356a5eb8058094d | |
| redhat_bugzilla | https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csb | https://bugzilla.redhat.com/show_bug.cgi?id=2334670 |
| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2024122837-CVE-2024-56702-172d@gregkh/T | https://bugzilla.redhat.com/show_bug.cgi?id=2334670 |
| debian | https://security-tracker.debian.org/tracker/CVE-2024-56702 |
漏洞分析指导链接:
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
漏洞数据来源:
openBrain开源漏洞感知系统
漏洞补丁信息:
无
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:bpf: Mark raw_tp arguments with PTR_MAYBE_NULLArguments to a raw tracepoint are tagged as trusted, which carries thesemantics that the pointer will be non-NULL. However, in certain cases,a raw tracepoint argument may end up being NULL. More context about thisissue is available in [0].Thus, there is a discrepancy between the reality, that raw_tp argumentscan actually be NULL, and the verifier's knowledge, that they are neverNULL, causing explicit NULL checks to be deleted, and accesses to suchpointers potentially crashing the kernel.To fix this, mark raw_tp arguments as PTR_MAYBE_NULL, and then specialcase the dereference and pointer arithmetic to permit it, and allowpassing them into helpers/kfuncs; these exceptions are made for raw_tpprograms only. Ensure that we don't do this when ref_obj_id > 0, as inthat case this is an acquired object and doesn't need such adjustment.The reason we do mask_raw_tp_trusted_reg logic is because other willrecheck in places whether the register is a trusted_reg, and thenconsider our register as untrusted when detecting the presence of thePTR_MAYBE_NULL flag.To allow safe dereference, we enable PROBE_MEM marking when we see loadsinto trusted pointers with PTR_MAYBE_NULL.While trusted raw_tp arguments can also be passed into helpers or kfuncswhere such broken assumption may cause issues, a future patch set willtackle their case separately, as PTR_TO_BTF_ID (without PTR_TRUSTED) canalready be passed into helpers and causes similar problems. Thus, theyare left alone for now.It is possible that these checks also permit passing non-raw_tp argsthat are trusted PTR_TO_BTF_ID with null marking. In such a case,allowing dereference when pointer is NULL expands allowed behavior, sowon't regress existing programs, and the case of passing these intohelpers is the same as above and will be dealt with later.Also update the failure case in tp_btf_nullable selftest to capture thenew behavior, as the verifier will no longer cause an error whendirectly dereference a raw tracepoint argument marked as __nullable. [0]: <ahref= https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csb >https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csbThe Linux kernel CVE team has assigned CVE-2024-56702 to this issue.
openEuler评分:
5.5
Vector:CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
受影响版本排查(受影响/不受影响):
1.openEuler-24.03-LTS:受影响
2.openEuler-24.03-LTS-SP1:受影响
3.openEuler-20.03-LTS-SP4(4.19.90):不受影响
4.openEuler-22.03-LTS-SP1:不受影响
5.openEuler-22.03-LTS-SP3:不受影响
6.openEuler-22.03-LTS-SP4:不受影响
7.master:不受影响
8.openEuler-24.03-LTS-Next:不受影响
修复是否涉及abi变化(是/否):
1.openEuler-20.03-LTS-SP4(4.19.90):否
2.openEuler-22.03-LTS-SP1:否
3.openEuler-22.03-LTS-SP3:否
4.master:否
5.openEuler-24.03-LTS:否
6.openEuler-24.03-LTS-Next:否
7.openEuler-22.03-LTS-SP4:否
8.openEuler-24.03-LTS-SP1:否
原因说明:
1.openEuler-24.03-LTS:正常修复
2.openEuler-24.03-LTS-SP1:正常修复
3.master:不受影响-漏洞代码不能被攻击者触发
4.openEuler-24.03-LTS-Next:不受影响-漏洞代码不能被攻击者触发
5.openEuler-20.03-LTS-SP4(4.19.90):不受影响-漏洞代码不存在
6.openEuler-22.03-LTS-SP1:不受影响-漏洞代码不存在
7.openEuler-22.03-LTS-SP3:不受影响-漏洞代码不存在
8.openEuler-22.03-LTS-SP4:不受影响-漏洞代码不存在
三、漏洞修复
安全公告链接:https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2025-1036
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
hulk-robot
5个月前
CVE-2024-56702
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:
bpf: Mark raw_tp arguments with PTR_MAYBE_NULL
Arguments to a raw tracepoint are tagged as trusted, which carries the
semantics that the pointer will be non-NULL. However, in certain cases,
a raw tracepoint argument may end up being NULL. More context about this
issue is available in [0].
Thus, there is a discrepancy between the reality, that raw_tp arguments
can actually be NULL, and the verifier's knowledge, that they are never
NULL, causing explicit NULL checks to be deleted, and accesses to such
pointers potentially crashing the kernel.
To fix this, mark raw_tp arguments as PTR_MAYBE_NULL, and then special
case the dereference and pointer arithmetic to permit it, and allow
passing them into helpers/kfuncs; these exceptions are made for raw_tp
programs only. Ensure that we don't do this when ref_obj_id > 0, as in
that case this is an acquired object and doesn't need such adjustment.
The reason we do mask_raw_tp_trusted_reg logic is because other will
recheck in places whether the register is a trusted_reg, and then
consider our register as untrusted when detecting the presence of the
PTR_MAYBE_NULL flag.
To allow safe dereference, we enable PROBE_MEM marking when we see loads
into trusted pointers with PTR_MAYBE_NULL.
While trusted raw_tp arguments can also be passed into helpers or kfuncs
where such broken assumption may cause issues, a future patch set will
tackle their case separately, as PTR_TO_BTF_ID (without PTR_TRUSTED) can
already be passed into helpers and causes similar problems. Thus, they
are left alone for now.
It is possible that these checks also permit passing non-raw_tp args
that are trusted PTR_TO_BTF_ID with null marking. In such a case,
allowing dereference when pointer is NULL expands allowed behavior, so
won't regress existing programs, and the case of passing these into
helpers is the same as above and will be dealt with later.
Also update the failure case in tp_btf_nullable selftest to capture the
new behavior, as the verifier will no longer cause an error when
directly dereference a raw tracepoint argument marked as __nullable.
[0]: https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csb
The Linux kernel CVE team has assigned CVE-2024-56702 to this issue.
openEuler评分:(评分和向量)
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
受影响版本排查(受影响/不受影响):
1.openEuler-20.03-LTS-SP4:不受影响
2.openEuler-22.03-LTS-SP1:不受影响
3.openEuler-22.03-LTS-SP3:不受影响
4.openEuler-22.03-LTS-SP4:不受影响
5.master(6.1.0):不受影响
6.openEuler-24.03-LTS:受影响
7.openEuler-24.03-LTS-Next:不受影响
8.openEuler-24.03-LTS-SP1:受影响
修复是否涉及abi变化(是/否):
1.openEuler-20.03-LTS-SP4:否
2.openEuler-22.03-LTS-SP1:否
3.openEuler-22.03-LTS-SP3:否
4.master(6.1.0):否
5.openEuler-24.03-LTS:否
6.openEuler-24.03-LTS-Next:否
7.openEuler-22.03-LTS-SP4:否
8.openEuler-24.03-LTS-SP1:否
原因说明:
1.master(23.08.5):不受影响-漏洞代码不能被攻击者触发
2.openEuler-20.03-LTS-SP4:不受影响-漏洞代码不存在
3.openEuler-22.03-LTS-SP1:不受影响-漏洞代码不存在
4.openEuler-22.03-LTS-SP3:不受影响-漏洞代码不存在
5.openEuler-22.03-LTS-SP4:不受影响-漏洞代码不存在
6.openEuler-24.03-LTS:正常修复
7.openEuler-24.03-LTS-Next:不受影响-漏洞代码不能被攻击者触发
8.openEuler-24.03-LTS-SP1:正常修复
hulk-robot
5个月前
CVE-2024-56702
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:
bpf: Mark raw_tp arguments with PTR_MAYBE_NULL
Arguments to a raw tracepoint are tagged as trusted, which carries the
semantics that the pointer will be non-NULL. However, in certain cases,
a raw tracepoint argument may end up being NULL. More context about this
issue is available in [0].
Thus, there is a discrepancy between the reality, that raw_tp arguments
can actually be NULL, and the verifier's knowledge, that they are never
NULL, causing explicit NULL checks to be deleted, and accesses to such
pointers potentially crashing the kernel.
To fix this, mark raw_tp arguments as PTR_MAYBE_NULL, and then special
case the dereference and pointer arithmetic to permit it, and allow
passing them into helpers/kfuncs; these exceptions are made for raw_tp
programs only. Ensure that we don't do this when ref_obj_id > 0, as in
that case this is an acquired object and doesn't need such adjustment.
The reason we do mask_raw_tp_trusted_reg logic is because other will
recheck in places whether the register is a trusted_reg, and then
consider our register as untrusted when detecting the presence of the
PTR_MAYBE_NULL flag.
To allow safe dereference, we enable PROBE_MEM marking when we see loads
into trusted pointers with PTR_MAYBE_NULL.
While trusted raw_tp arguments can also be passed into helpers or kfuncs
where such broken assumption may cause issues, a future patch set will
tackle their case separately, as PTR_TO_BTF_ID (without PTR_TRUSTED) can
already be passed into helpers and causes similar problems. Thus, they
are left alone for now.
It is possible that these checks also permit passing non-raw_tp args
that are trusted PTR_TO_BTF_ID with null marking. In such a case,
allowing dereference when pointer is NULL expands allowed behavior, so
won't regress existing programs, and the case of passing these into
helpers is the same as above and will be dealt with later.
Also update the failure case in tp_btf_nullable selftest to capture the
new behavior, as the verifier will no longer cause an error when
directly dereference a raw tracepoint argument marked as __nullable.
[0]: https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csb
The Linux kernel CVE team has assigned CVE-2024-56702 to this issue.
openEuler评分:(评分和向量)
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
受影响版本排查(受影响/不受影响):
1.openEuler-20.03-LTS-SP4:不受影响
2.openEuler-22.03-LTS-SP1:不受影响
3.openEuler-22.03-LTS-SP3:不受影响
4.openEuler-22.03-LTS-SP4:不受影响
5.master(6.1.0):不受影响
6.openEuler-24.03-LTS:受影响
7.openEuler-24.03-LTS-Next:不受影响
8.openEuler-24.03-LTS-SP1:受影响
修复是否涉及abi变化(是/否):
1.openEuler-20.03-LTS-SP4:否
2.openEuler-22.03-LTS-SP1:否
3.openEuler-22.03-LTS-SP3:否
4.master(6.1.0):否
5.openEuler-24.03-LTS:否
6.openEuler-24.03-LTS-Next:否
7.openEuler-22.03-LTS-SP4:否
8.openEuler-24.03-LTS-SP1:否
原因说明:
1.master(23.08.5):不受影响-漏洞代码不能被攻击者触发
2.openEuler-20.03-LTS-SP4:不受影响-漏洞代码不存在
3.openEuler-22.03-LTS-SP1:不受影响-漏洞代码不存在
4.openEuler-22.03-LTS-SP3:不受影响-漏洞代码不存在
5.openEuler-22.03-LTS-SP4:不受影响-漏洞代码不存在
6.openEuler-24.03-LTS:正常修复
7.openEuler-24.03-LTS-Next:不受影响-漏洞代码不能被攻击者触发
8.openEuler-24.03-LTS-SP1:正常修复
登录 后才可以发表评论
FileDragTip