Bug 1215863 (CVE-2023-39191)

Summary: VUL-0: CVE-2023-39191: kernel: Linux Kernel eBPF Improper Input Validation Privilege Escalation Vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: chester.lin, gabriele.sonnu, jlee, kernel-bugs, meissner, shung-hsi.yu, simonalogan, stoyan.manolov, tonyj
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/380410/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-39191:8.2:(AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1215887    

Description SMASH SMASH 2023-10-02 09:49:11 UTC 
This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39191
Comment 1 Gabriele Sonnu 2023-10-02 15:57:04 UTC 
Patch set:

https://lore.kernel.org/all/20230121002241.2113993-1-memxor@gmail.com/

looks like this fixes commit 97e03f521050c092919591e668107b3d69c5f426, that we have in SLE15-SP5, SLE15-SP6 and stable. SLE15-SP6 and stable seems to also contain the fixing commit, while SLE15-SP5 do not.

@kernel-team, please confirm.
Comment 2 Chester Lin 2023-10-03 05:24:09 UTC 
Reassigning to a concrete person to ensure progress [1] (feel free to pass to the next one), see also the process at [2].
 
Hi Shung-Hsi,

Could you take a look at this CVE? As Gabriele mentioned, this CVE can be solved by a patchset, which has been merged in upstream v6.3-rc1 [commit id: 84150795a49a]. It also fixes bugs introduced by 97e03f521050 that we have backported in SLE15-SP5. Since SLE15-SP6 and ALP are based on v6.4, I assume that these two repos should not be affected. Should we backport this patchset for SLE15-SP5?
 
[1] https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel
[2] https://wiki.suse.net/index.php/SUSE-Labs/Kernel/Security
Comment 3 Shung-Hsi Yu 2023-10-03 11:43:23 UTC 
(In reply to Chester Lin from comment #2)
> Reassigning to a concrete person to ensure progress [1] (feel free to pass
> to the next one), see also the process at [2].

Thanks!

> Hi Shung-Hsi,
> 
> Could you take a look at this CVE? As Gabriele mentioned, this CVE can be
> solved by a patchset, which has been merged in upstream v6.3-rc1 [commit id:
> 84150795a49a]. It also fixes bugs introduced by 97e03f521050 that we have
> backported in SLE15-SP5. Since SLE15-SP6 and ALP are based on v6.4, I assume
> that these two repos should not be affected. Should we backport this
> patchset for SLE15-SP5?

Yes, we should backport to SLE15-SP5, will work on this.
Comment 5 Shung-Hsi Yu 2023-10-12 06:45:15 UTC 
I've backported the "Dynptr fixes" series to SLE15-SP5, submitted to users/syu/SLE15-SP5/for-next (head commit 9f9ad1888b35). This pulled in quite some other upstream commits along, here's the full list:
- b239da34203f bpf: Add helper macro bpf_for_each_reg_in_vstate
- e9e315b4a5de bpf: Move dynptr type check to is_dynptr_type_expected()
- "Dynptr refactorings"[1] series (dependency)
  - 6b75bd3d0367 bpf: Refactor ARG_PTR_TO_DYNPTR checks into process_dynptr_func
  - ac50fe51ce87 bpf: Propagate errors from process_* checks in check_func_arg
  - 270605317366 bpf: Rework process_dynptr_func
  - 184c9bdb8f65 bpf: Rework check_func_arg_reg_off
  - f6ee298fa140 bpf: Move PTR_TO_STACK alignment check to process_dynptr_func
  - 76d16077bef0 bpf: Use memmove for bpf_dynptr_{read,write}
- "Dynptr fixes"[2] series (patchset that addresses this issue)
  - d6fefa1105da bpf: Fix state pruning for STACK_DYNPTR stack slots
  - 79168a669d81 bpf: Fix missing var_off check for ARG_PTR_TO_DYNPTR
  - ef8fc7a07c0e bpf: Fix partial dynptr stack slot reads/writes
  - f8064ab90d66 bpf: Invalidate slices on destruction of dynptrs on stack
  - 379d4ba831cf bpf: Allow reinitializing unreferenced dynptr stack slots
  - f5b625e5f8bb bpf: Combine dynptr_get_spi and is_spi_bounds_valid
  - 1ee72bcbe48d bpf: Avoid recomputing spi in process_dynptr_func

And here's kselftest patches that were backported along the fixes:
- cbd620fc18ca selftests/bpf: Copy over libbpf configs
- dc444be8bae4 selftests/bpf: add extra test for using dynptr data slice after release
- b94fa9f9dcf9 selftests/bpf: Add tests for dynamic pointers parameters in kfuncs
- 26c386ecf021 selftests/bpf: convert dynptr_fail and map_kptr_fail subtests to generic tester
- "Dynptr fixes"[2] series
  - 91b875a5e43b selftests/bpf: convenience macro for use with 'asm volatile' blocks
  - f4d24edf1b92 selftests/bpf: Add dynptr pruning tests
  - ef4810135396 selftests/bpf: Add dynptr var_off tests
  - 011edc8e49b8 selftests/bpf: Add dynptr partial slot overwrite tests
  - ae8e354c497a selftests/bpf: Add dynptr helper tests

1: https://lore.kernel.org/r/20221207204141.308952-1-memxor@gmail.com
2: https://lore.kernel.org/r/20230121002241.2113993-1-memxor@gmail.com
Comment 6 Shung-Hsi Yu 2023-10-12 06:49:29 UTC 
(In reply to Shung-Hsi Yu from comment #5)
> [snip]
> - b239da34203f bpf: Add helper macro bpf_for_each_reg_in_vstate
> - e9e315b4a5de bpf: Move dynptr type check to is_dynptr_type_expected()
> - "Dynptr refactorings"[1] series (dependency)
>   - 6b75bd3d0367 bpf: Refactor ARG_PTR_TO_DYNPTR checks into
> process_dynptr_func
>   - ac50fe51ce87 bpf: Propagate errors from process_* checks in
> check_func_arg
>   - 270605317366 bpf: Rework process_dynptr_func
>   - 184c9bdb8f65 bpf: Rework check_func_arg_reg_off
>   - f6ee298fa140 bpf: Move PTR_TO_STACK alignment check to
> process_dynptr_func
>   - 76d16077bef0 bpf: Use memmove for bpf_dynptr_{read,write}
> - "Dynptr fixes"[2] series (patchset that addresses this issue)
>   - d6fefa1105da bpf: Fix state pruning for STACK_DYNPTR stack slots
>   - 79168a669d81 bpf: Fix missing var_off check for ARG_PTR_TO_DYNPTR
>   - ef8fc7a07c0e bpf: Fix partial dynptr stack slot reads/writes

AFAICT the main fixes are the above three commits, but I've decided to backport the whole series to better match upstream

>   - f8064ab90d66 bpf: Invalidate slices on destruction of dynptrs on stack
>   - 379d4ba831cf bpf: Allow reinitializing unreferenced dynptr stack slots
>   - f5b625e5f8bb bpf: Combine dynptr_get_spi and is_spi_bounds_valid
>   - 1ee72bcbe48d bpf: Avoid recomputing spi in process_dynptr_func
> [snip]
Comment 7 Shung-Hsi Yu 2023-10-12 06:52:49 UTC 
I'll check that the following test passes before marking this as resolved
- f4d24edf1b92 selftests/bpf: Add dynptr pruning tests
- ef4810135396 selftests/bpf: Add dynptr var_off tests
- 011edc8e49b8 selftests/bpf: Add dynptr partial slot overwrite tests
- ae8e354c497a selftests/bpf: Add dynptr helper tests
Comment 8 Shung-Hsi Yu 2023-10-17 07:57:19 UTC 
Confirmed that the following BPF kselftests changed from FAIL to OK once the fixes are applied, reassigning back to security team.

#53/38   dynptr/dynptr_overwrite_ref
#53/39   dynptr/dynptr_read_into_slot
#53/40   dynptr/uninit_write_into_slot
#53/41   dynptr/invalid_data_slices
#53/42   dynptr/dynptr_pruning_overwrite
#53/44   dynptr/dynptr_pruning_type_confusion
#53/45   dynptr/dynptr_var_off_overwrite
#53/46   dynptr/dynptr_partial_slot_invalidate
Comment 16 Simon Logan 2023-11-22 16:41:52 UTC 
Hi Shung-Hsi, is it possible to get this fixed in Leap 15.4?

Thanks,
Simon
Comment 17 Marcus Meissner 2023-11-22 17:18:28 UTC 
the problematic bug was not backported to SLES 15 SP4 / Leap 15.4 kernels.
Comment 18 Simon Logan 2023-11-28 11:45:49 UTC 
(In reply to Marcus Meissner from comment #17)
> the problematic bug was not backported to SLES 15 SP4 / Leap 15.4 kernels.

Thanks Marcus.

Simon