Bugzilla – Bug 1221101
VUL-0: REJECTED: CVE-2023-52592: libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos
Last modified: 2024-07-12 16:30:53 UTC
In the Linux kernel, the following vulnerability has been resolved: libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos An issue occurred while reading an ELF file in libbpf.c during fuzzing: Program received signal SIGSEGV, Segmentation fault. 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206 4206 in libbpf.c (gdb) bt #0 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206 #1 0x000000000094f9d6 in bpf_object.collect_relos () at libbpf.c:6706 #2 0x000000000092bef3 in bpf_object_open () at libbpf.c:7437 #3 0x000000000092c046 in bpf_object.open_mem () at libbpf.c:7497 #4 0x0000000000924afa in LLVMFuzzerTestOneInput () at fuzz/bpf-object-fuzzer.c:16 #5 0x000000000060be11 in testblitz_engine::fuzzer::Fuzzer::run_one () #6 0x000000000087ad92 in tracing::span::Span::in_scope () #7 0x00000000006078aa in testblitz_engine::fuzzer::util::walkdir () #8 0x00000000005f3217 in testblitz_engine::entrypoint::main::{{closure}} () #9 0x00000000005f2601 in main () (gdb) scn_data was null at this code(tools/lib/bpf/src/libbpf.c): if (rel->r_offset % BPF_INSN_SZ || rel->r_offset >= scn_data->d_size) { The scn_data is derived from the code above: scn = elf_sec_by_idx(obj, sec_idx); scn_data = elf_sec_data(obj, scn); relo_sec_name = elf_sec_str(obj, shdr->sh_name); sec_name = elf_sec_name(obj, scn); if (!relo_sec_name || !sec_name)// don't check whether scn_data is NULL return -EINVAL; In certain special scenarios, such as reading a malformed ELF file, it is possible that scn_data may be a null pointer References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52592 https://www.cve.org/CVERecord?id=CVE-2023-52592 https://git.kernel.org/stable/c/12473265f50c1e27b0dfd9735738ac418c4bfcce https://git.kernel.org/stable/c/5f3e436832e86b826a6450eb8d1aaa51205a758e https://git.kernel.org/stable/c/90dbf4535668042fac0d7201ce9e2c8c770c578a https://git.kernel.org/stable/c/ab26541270c722eedf8eefd62797c3ce3d18a91b https://git.kernel.org/stable/c/fc3a5534e2a8855427403113cbeb54af5837bbe0 https://bugzilla.redhat.com/show_bug.cgi?id=2268321
Offending code found in: - SLE15-SP5 - SLE15-SP6 - cve/linux-5.14 - stable stable already has the fix (5f3e436832e8).
got rejected: https://lore.kernel.org/linux-cve-announce/2024030725-REJECTED-3464@gregkh/T/#u
Fixing commit is fc3a5534e2a8 ("libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos") merged v6.8 (equivalent of libbpf `v1.4.0`), while the buggy commit is 6245947c1b3c ("libbpf: Allow gaps in BPF program sections to support overriden weak functions") merged in v5.13 (equivalent of libbpf `v0.4.0`). SLE15-SP3 and earlier are not affected. The affected products are SLE15-SP4+, which all use the GitHub source of libbpf, hence there is no need to backport to kernel-source. The following action are done instead: - SUSE:SLE-15-SP4:Update with SR331403 - SUSE:SLE-15-SP5:Update with SR331404 - SUSE:SLE-15-SP6:Update with SR331405 Since the CVE has been rejected I believe there's no need to assign back to security team. Closing this directly.
SUSE-RU-2024:1790-1: An update that has one fix can now be installed. Category: recommended (moderate) Bug References: 1221101 Maintenance Incident: [SUSE:Maintenance:33987](https://smelt.suse.de/incident/33987/) Sources used: openSUSE Leap 15.4 (src): libbpf-0.5.0-150400.3.6.1 Basesystem Module 15-SP5 (src): libbpf-0.5.0-150400.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-RU-2024:1809-1: An update that has one fix can now be installed. Category: recommended (moderate) Bug References: 1221101 Maintenance Incident: [SUSE:Maintenance:33986](https://smelt.suse.de/incident/33986/) Sources used: openSUSE Leap 15.5 (src): libbpf-1.1.0-150500.3.3.1 SUSE Linux Enterprise Micro 5.5 (src): libbpf-1.1.0-150500.3.3.1 Basesystem Module 15-SP5 (src): libbpf-1.1.0-150500.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-RU-2024:1951-1: An update that has one fix can now be installed. Category: recommended (moderate) Bug References: 1221101 Maintenance Incident: [SUSE:Maintenance:33984](https://smelt.suse.de/incident/33984/) Sources used: Basesystem Module 15-SP6 (src): libbpf-1.2.2-150600.3.3.1 Development Tools Module 15-SP6 (src): libbpf-1.2.2-150600.3.3.1 openSUSE Leap 15.6 (src): libbpf-1.2.2-150600.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-RU-2024:1809-2: An update that has one fix can now be installed. Category: recommended (moderate) Bug References: 1221101 Maintenance Incident: [SUSE:Maintenance:33986](https://smelt.suse.de/incident/33986/) Sources used: Development Tools Module 15-SP5 (src): libbpf-1.1.0-150500.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-RU-2024:1809-3: An update that has one fix can now be installed. Category: recommended (moderate) Bug References: 1221101 Maintenance Incident: [SUSE:Maintenance:33986](https://smelt.suse.de/incident/33986/) Sources used: SUSE Linux Enterprise Micro 5.5 (src): libbpf-1.1.0-150500.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.