Re: CVE-2023-52592: libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos

From: Michal Hocko
Date: Thu Mar 07 2024 - 05:09:50 EST


On Wed 06-03-24 06:45:50, Greg KH wrote:
> Description
> ===========
>
> In the Linux kernel, the following vulnerability has been resolved:
>
> libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos
>
> An issue occurred while reading an ELF file in libbpf.c during fuzzing:
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206
> 4206 in libbpf.c
> (gdb) bt
> #0 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206
> #1 0x000000000094f9d6 in bpf_object.collect_relos () at libbpf.c:6706
> #2 0x000000000092bef3 in bpf_object_open () at libbpf.c:7437
> #3 0x000000000092c046 in bpf_object.open_mem () at libbpf.c:7497
> #4 0x0000000000924afa in LLVMFuzzerTestOneInput () at fuzz/bpf-object-fuzzer.c:16
> #5 0x000000000060be11 in testblitz_engine::fuzzer::Fuzzer::run_one ()
> #6 0x000000000087ad92 in tracing::span::Span::in_scope ()
> #7 0x00000000006078aa in testblitz_engine::fuzzer::util::walkdir ()
> #8 0x00000000005f3217 in testblitz_engine::entrypoint::main::{{closure}} ()
> #9 0x00000000005f2601 in main ()
> (gdb)
>
> scn_data was null at this code(tools/lib/bpf/src/libbpf.c):
>
> if (rel->r_offset % BPF_INSN_SZ || rel->r_offset >= scn_data->d_size) {
>
> The scn_data is derived from the code above:
>
> scn = elf_sec_by_idx(obj, sec_idx);
> scn_data = elf_sec_data(obj, scn);
>
> relo_sec_name = elf_sec_str(obj, shdr->sh_name);
> sec_name = elf_sec_name(obj, scn);
> if (!relo_sec_name || !sec_name)// don't check whether scn_data is NULL
> return -EINVAL;
>
> In certain special scenarios, such as reading a malformed ELF file,
> it is possible that scn_data may be a null pointer
>
> The Linux kernel CVE team has assigned CVE-2023-52592 to this issue.

OK, so this one is quite interesting. This is a userspace tooling
gaining a kernel CVE. Is this just an omission or is this really
expected.

Also what is the security threat model here? If a malformed ELF file is
loaded then the process gets SEGV which is perfectly reasonable thing to
do.

Thanks!
--
Michal Hocko
SUSE Labs