1215518 – (CVE-2023-2163) VUL-0: CVE-2023-2163: kernel-source-rt,kernel-source-azure,kernel-source: Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memor

Bug 1215518 (CVE-2023-2163) - VUL-0: CVE-2023-2163: kernel-source-rt,kernel-source-azure,kernel-source: Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memor

Summary: VUL-0: CVE-2023-2163: kernel-source-rt,kernel-source-azure,kernel-source: Inc...

Status:	RESOLVED FIXED

Alias:	CVE-2023-2163

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P1 - Urgent Severity: Critical
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/379444/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-2163:7.1:(AV:L...
Keywords:

Depends on:
Blocks:	1215519
	Show dependency tree / graph

Clone This Bug

Reported:	2023-09-20 12:23 UTC by Marcus Meissner
Modified:	2024-01-31 12:47 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2023-09-20 12:23:31 UTC

CVE-2023-2163

Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe
code paths being incorrectly marked as safe, resulting in arbitrary read/write
in
kernel memory, lateral privilege escalation, and container escape.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2163
https://www.cve.org/CVERecord?id=CVE-2023-2163
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=71b547f561247897a0a14f3082730156c0533fed

Comment 1 Michal Koutný 2023-09-20 12:29:34 UTC

Reassigning to a concrete person to ensure progress [1] (feel free to pass to next one), see also the process at [2].

This is a git-fixes for
> b5dc0163d8fd ("bpf: precise scalar_value tracking") v5.3-rc1~140^2~179^2^2
(5.3-based kernels are affected).

Marcus, bug whiteboard misses the score evaluation. Could you please correct it?
 
[1] https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel
[2] https://wiki.suse.net/index.php/SUSE-Labs/Kernel/Security

Comment 3 Marcus Meissner 2023-09-20 12:34:02 UTC

score filled in.

FWIW NVD rated it 10 (fully remote network exploitable), but I disagree, as this is a local exploit in my eyes.

Also I think we meanwhile disabled unprivileged ebpf by default, reducing the attack surface.

Comment 5 Nathan Cutler 2023-09-25 08:21:02 UTC

> FWIW NVD rated it 10 (fully remote network exploitable), but I disagree, as
> this is a local exploit in my eyes.

According to https://nvd.nist.gov/vuln/detail/CVE-2023-2163 the NVD rating has been corrected downward to 8.8.

Comment 7 Shung-Hsi Yu 2023-09-25 14:20:06 UTC

(In reply to Marcus Meissner from comment #3)
> score filled in.
> 
> FWIW NVD rated it 10 (fully remote network exploitable), but I disagree, as
> this is a local exploit in my eyes.
> 
> Also I think we meanwhile disabled unprivileged ebpf by default, reducing
> the attack surface.

Agree with Marcus on both points above. BPF program can only be loaded locally, and the default settings in our kernels only permits BPF program to be loaded by process with at least CAP_BPF capability.

Comment 9 Marcus Meissner 2023-10-06 12:05:07 UTC

did you commit this to any branches yet?

Comment 10 Shung-Hsi Yu 2023-10-12 07:10:35 UTC

(In reply to Marcus Meissner from comment #9)
> did you commit this to any branches yet?

Just submitted fix for SLE15-SP5 in users/syu/SLE15-SP5 (head commit 9f9ad1888b35) today, which contain the fix for this bug (along with other fixes):
- 71b547f56124 bpf: Fix incorrect verifier pruning due to missing register precision taints

Will work on the other branches now and submit them ASAP

(needinfo myself to not lost track of it)

Comment 11 Shung-Hsi Yu 2023-10-13 15:52:44 UTC

Fix is merged in SLE15-SP4 and SLE15-SP4. And submitted to cve/linux-5.3 in users/syu/cve/linux-5.3/for-next.

Reassigning back to security team.

Comment 12 Marcos de Souza 2023-10-17 20:44:42 UTC

(In reply to Shung-Hsi Yu from comment #11)
> Fix is merged in SLE15-SP4 and SLE15-SP4. And submitted to cve/linux-5.3 in
> users/syu/cve/linux-5.3/for-next.
> 
> Reassigning back to security team.

Hi Shung-Hsi,

on users/syu/cve/linux-5.3/for-next, only the top commits mentions CVE-2023-2163. Can you elaborate on which patches are necessary in order to solve the CVE?

Also, when checking origin/SLE15-SP4, the only recent commit that I see is 

  commit 71da1d61de4ec087e238aba899d0d16235cbc873 (origin/users/syu/SLE15-SP4/for-next)
  Author: Shung-Hsi Yu <shung-hsi.yu@suse.com>
  Date:   Fri Oct 13 10:42:35 2023 +0800
   
*     bpf: Fix incorrect verifier pruning due to missing register
      precision taints (bsc#1215518 CVE-2023-2163).

So "bpf: precise scalar_value tracking" is not needed?

Thanks in advance,
  Marcos

Comment 13 Shung-Hsi Yu 2023-10-18 02:54:32 UTC

Hi Marcos!

(In reply to Marcos de Souza from comment #12)
> on users/syu/cve/linux-5.3/for-next, only the top commits mentions CVE-2023-2163. Can you elaborate on which patches are necessary in order to solve the CVE?
> 
> Also, when checking origin/SLE15-SP4, the only recent commit that I see is
> 
>   commit 71da1d61de4ec087e238aba899d0d16235cbc873 (origin/users/syu/SLE15-SP4/for-next)
>   Author: Shung-Hsi Yu <shung-hsi.yu@suse.com>
>   Date:   Fri Oct 13 10:42:35 2023 +0800
> 
> *     bpf: Fix incorrect verifier pruning due to missing register
>       precision taints (bsc#1215518 CVE-2023-2163).

Did you meant to swap users/syu/cve/linux-5.3/for-next and origin/SLE15-SP4 in the above? As I've only added one commit to users/syu/cve/linux-5.3/for-next, while origin/SLE15-SP4 has additionally the following

commit 2884e5f3bf58e0d940d94e5114f64923b4a79a9d
Author: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Date:   Fri Oct 13 10:42:35 2023 +0800

    bpf: propagate precision in ALU/ALU64 operations (git-fixes).

> So "bpf: precise scalar_value tracking" is not needed?

Upstream commit `b5dc0163d8fd` "bpf: precise scalar_value tracking" is part of v5.3, so I'm taking the leap that you're asking whether upstream commit `a3b666bfa9c9` "bpf: propagate precision in ALU/ALU64 operations" (SUSE-commit 2884e5f3bf58 mention above) is needed to fix CVE-2023-2163, given the reference is git-fixes and didn't mention CVE-2023-2163.

(Hopefully I didn't misunderstand anything so far)

I believe the fix in "bpf: propagate precision in ALU/ALU64 operations" does not applies to the condition of CVE-2023-2163 (see commit message of upstream commit 71b547f56124 "bpf: Fix incorrect verifier pruning due to missing register precision taints" for details), hence I didn't add the reference to that CVE and used git-fixes instead.

Comment 33 Maintenance Automation 2023-11-02 16:30:22 UTC

SUSE-SU-2023:4348-1: An update that solves 11 vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1210778, 1210853, 1212051, 1214842, 1215095, 1215467, 1215518, 1215745, 1215858, 1215860, 1215861, 1216046, 1216051, 1216134
CVE References: CVE-2023-2163, CVE-2023-31085, CVE-2023-3111, CVE-2023-34324, CVE-2023-3777, CVE-2023-39189, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-42754, CVE-2023-45862
Sources used:
openSUSE Leap 15.3 (src): kernel-syms-5.3.18-150300.59.141.1, kernel-obs-build-5.3.18-150300.59.141.2, kernel-obs-qa-5.3.18-150300.59.141.1, kernel-source-5.3.18-150300.59.141.1, kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2, kernel-livepatch-SLE15-SP3_Update_38-1-150300.7.3.2
SUSE Linux Enterprise Live Patching 15-SP3 (src): kernel-livepatch-SLE15-SP3_Update_38-1-150300.7.3.2
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): kernel-syms-5.3.18-150300.59.141.1, kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2, kernel-source-5.3.18-150300.59.141.1, kernel-obs-build-5.3.18-150300.59.141.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): kernel-syms-5.3.18-150300.59.141.1, kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2, kernel-source-5.3.18-150300.59.141.1, kernel-obs-build-5.3.18-150300.59.141.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): kernel-syms-5.3.18-150300.59.141.1, kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2, kernel-source-5.3.18-150300.59.141.1, kernel-obs-build-5.3.18-150300.59.141.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): kernel-syms-5.3.18-150300.59.141.1, kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2, kernel-source-5.3.18-150300.59.141.1, kernel-obs-build-5.3.18-150300.59.141.2
SUSE Manager Proxy 4.2 (src): kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2, kernel-source-5.3.18-150300.59.141.1
SUSE Manager Retail Branch Server 4.2 (src): kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2, kernel-source-5.3.18-150300.59.141.1
SUSE Manager Server 4.2 (src): kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2, kernel-source-5.3.18-150300.59.141.1
SUSE Enterprise Storage 7.1 (src): kernel-syms-5.3.18-150300.59.141.1, kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2, kernel-source-5.3.18-150300.59.141.1, kernel-obs-build-5.3.18-150300.59.141.2
SUSE Linux Enterprise Micro 5.1 (src): kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2
SUSE Linux Enterprise Micro 5.2 (src): kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2
SUSE Linux Enterprise Micro for Rancher 5.2 (src): kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 34 Maintenance Automation 2023-11-02 16:30:35 UTC

SUSE-SU-2023:4345-1: An update that solves nine vulnerabilities and has 14 security fixes can now be installed.

Category: security (important)
Bug References: 1208788, 1210778, 1211307, 1212423, 1212649, 1213705, 1214842, 1215095, 1215104, 1215518, 1215745, 1215768, 1215860, 1215955, 1215986, 1216046, 1216051, 1216062, 1216345, 1216510, 1216511, 1216512, 1216621
CVE References: CVE-2023-2163, CVE-2023-31085, CVE-2023-34324, CVE-2023-3777, CVE-2023-39189, CVE-2023-39193, CVE-2023-45862, CVE-2023-46813, CVE-2023-5178
Sources used:
openSUSE Leap 15.4 (src): kernel-syms-azure-5.14.21-150400.14.72.1, kernel-source-azure-5.14.21-150400.14.72.1
Public Cloud Module 15-SP4 (src): kernel-syms-azure-5.14.21-150400.14.72.1, kernel-source-azure-5.14.21-150400.14.72.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 35 Maintenance Automation 2023-11-03 16:30:20 UTC

SUSE-SU-2023:4358-1: An update that solves nine vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1212051, 1214842, 1215095, 1215467, 1215518, 1215745, 1215858, 1215860, 1215861, 1216046
CVE References: CVE-2023-2163, CVE-2023-3111, CVE-2023-34324, CVE-2023-3777, CVE-2023-39189, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-42754
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 36 Maintenance Automation 2023-11-06 16:30:02 UTC

SUSE-SU-2023:4377-1: An update that solves 10 vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1210778, 1210853, 1212051, 1215467, 1215518, 1215745, 1215858, 1215860, 1215861, 1216046, 1216051, 1216134
CVE References: CVE-2023-2163, CVE-2023-31085, CVE-2023-3111, CVE-2023-34324, CVE-2023-39189, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-42754, CVE-2023-45862
Sources used:
SUSE Linux Enterprise Live Patching 15-SP2 (src): kernel-livepatch-SLE15-SP2_Update_42-1-150200.5.3.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): kernel-obs-build-5.3.18-150200.24.169.1, kernel-source-5.3.18-150200.24.169.1, kernel-syms-5.3.18-150200.24.169.1, kernel-default-base-5.3.18-150200.24.169.1.150200.9.85.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): kernel-obs-build-5.3.18-150200.24.169.1, kernel-source-5.3.18-150200.24.169.1, kernel-syms-5.3.18-150200.24.169.1, kernel-default-base-5.3.18-150200.24.169.1.150200.9.85.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): kernel-obs-build-5.3.18-150200.24.169.1, kernel-source-5.3.18-150200.24.169.1, kernel-syms-5.3.18-150200.24.169.1, kernel-default-base-5.3.18-150200.24.169.1.150200.9.85.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 37 Maintenance Automation 2023-11-06 16:30:16 UTC

SUSE-SU-2023:4378-1: An update that solves seven vulnerabilities and has 14 security fixes can now be installed.

Category: security (important)
Bug References: 1208788, 1210778, 1211307, 1212423, 1212649, 1213705, 1213772, 1214842, 1215095, 1215104, 1215518, 1215955, 1215956, 1215957, 1215986, 1216062, 1216345, 1216510, 1216511, 1216512, 1216621
CVE References: CVE-2023-2163, CVE-2023-31085, CVE-2023-34324, CVE-2023-3777, CVE-2023-39189, CVE-2023-39193, CVE-2023-5178
Sources used:
openSUSE Leap 15.4 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2, kernel-source-5.14.21-150400.24.97.1, kernel-livepatch-SLE15-SP4_Update_20-1-150400.9.3.2, kernel-syms-5.14.21-150400.24.97.1, kernel-obs-qa-5.14.21-150400.24.97.1, kernel-obs-build-5.14.21-150400.24.97.1
openSUSE Leap Micro 5.3 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2
openSUSE Leap Micro 5.4 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2
SUSE Linux Enterprise Micro for Rancher 5.3 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2
SUSE Linux Enterprise Micro 5.3 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2
SUSE Linux Enterprise Micro for Rancher 5.4 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2
SUSE Linux Enterprise Micro 5.4 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2
Basesystem Module 15-SP4 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2, kernel-source-5.14.21-150400.24.97.1
Development Tools Module 15-SP4 (src): kernel-syms-5.14.21-150400.24.97.1, kernel-source-5.14.21-150400.24.97.1, kernel-obs-build-5.14.21-150400.24.97.1
SUSE Linux Enterprise Live Patching 15-SP4 (src): kernel-livepatch-SLE15-SP4_Update_20-1-150400.9.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 38 Marcus Meissner 2024-01-31 12:47:56 UTC

done