Ubuntu: (Multiple Advisories) (CVE-2024-26589): Linux kernel (OEM) vulnerabilities
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: <TASK> bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with "R7 pointer arithmetic on flow_keys prohibited".
Solution(s)
- ubuntu-upgrade-linux-image-5-15-0-102-generic
- ubuntu-upgrade-linux-image-5-15-0-102-generic-64k
- ubuntu-upgrade-linux-image-5-15-0-102-generic-lpae
- ubuntu-upgrade-linux-image-5-15-0-102-lowlatency
- ubuntu-upgrade-linux-image-5-15-0-102-lowlatency-64k
- ubuntu-upgrade-linux-image-5-15-0-1040-gkeop
- ubuntu-upgrade-linux-image-5-15-0-1048-nvidia
- ubuntu-upgrade-linux-image-5-15-0-1048-nvidia-lowlatency
- ubuntu-upgrade-linux-image-5-15-0-1050-ibm
- ubuntu-upgrade-linux-image-5-15-0-1050-raspi
- ubuntu-upgrade-linux-image-5-15-0-1052-intel-iotg
- ubuntu-upgrade-linux-image-5-15-0-1054-gke
- ubuntu-upgrade-linux-image-5-15-0-1054-kvm
- ubuntu-upgrade-linux-image-5-15-0-1055-gcp
- ubuntu-upgrade-linux-image-5-15-0-1055-oracle
- ubuntu-upgrade-linux-image-5-15-0-1057-aws
- ubuntu-upgrade-linux-image-5-15-0-1060-azure
- ubuntu-upgrade-linux-image-5-15-0-1060-azure-fde
- ubuntu-upgrade-linux-image-5-4-0-1035-iot
- ubuntu-upgrade-linux-image-5-4-0-1042-xilinx-zynqmp
- ubuntu-upgrade-linux-image-5-4-0-1070-ibm
- ubuntu-upgrade-linux-image-5-4-0-1083-bluefield
- ubuntu-upgrade-linux-image-5-4-0-1090-gkeop
- ubuntu-upgrade-linux-image-5-4-0-1107-raspi
- ubuntu-upgrade-linux-image-5-4-0-1111-kvm
- ubuntu-upgrade-linux-image-5-4-0-1122-oracle
- ubuntu-upgrade-linux-image-5-4-0-1123-aws
- ubuntu-upgrade-linux-image-5-4-0-1127-gcp
- ubuntu-upgrade-linux-image-5-4-0-1128-azure
- ubuntu-upgrade-linux-image-5-4-0-177-generic
- ubuntu-upgrade-linux-image-5-4-0-177-generic-lpae
- ubuntu-upgrade-linux-image-5-4-0-177-lowlatency
- ubuntu-upgrade-linux-image-6-1-0-1035-oem
- ubuntu-upgrade-linux-image-6-5-0-1012-starfive
- ubuntu-upgrade-linux-image-6-5-0-1014-laptop
- ubuntu-upgrade-linux-image-6-5-0-1015-nvidia
- ubuntu-upgrade-linux-image-6-5-0-1015-nvidia-64k
- ubuntu-upgrade-linux-image-6-5-0-1015-raspi
- ubuntu-upgrade-linux-image-6-5-0-1018-aws
- ubuntu-upgrade-linux-image-6-5-0-1018-gcp
- ubuntu-upgrade-linux-image-6-5-0-1019-azure
- ubuntu-upgrade-linux-image-6-5-0-1019-azure-fde
- ubuntu-upgrade-linux-image-6-5-0-1020-oem
- ubuntu-upgrade-linux-image-6-5-0-1021-oracle
- ubuntu-upgrade-linux-image-6-5-0-1021-oracle-64k
- ubuntu-upgrade-linux-image-6-5-0-28-generic
- ubuntu-upgrade-linux-image-6-5-0-28-generic-64k
- ubuntu-upgrade-linux-image-6-5-0-28-lowlatency
- ubuntu-upgrade-linux-image-6-5-0-28-lowlatency-64k
- ubuntu-upgrade-linux-image-aws
- ubuntu-upgrade-linux-image-aws-lts-20-04
- ubuntu-upgrade-linux-image-aws-lts-22-04
- ubuntu-upgrade-linux-image-azure
- ubuntu-upgrade-linux-image-azure-cvm
- ubuntu-upgrade-linux-image-azure-fde
- ubuntu-upgrade-linux-image-azure-fde-lts-22-04
- ubuntu-upgrade-linux-image-azure-lts-20-04
- ubuntu-upgrade-linux-image-azure-lts-22-04
- ubuntu-upgrade-linux-image-bluefield
- ubuntu-upgrade-linux-image-gcp
- ubuntu-upgrade-linux-image-gcp-lts-20-04
- ubuntu-upgrade-linux-image-gcp-lts-22-04
- ubuntu-upgrade-linux-image-generic
- ubuntu-upgrade-linux-image-generic-64k
- ubuntu-upgrade-linux-image-generic-64k-hwe-20-04
- ubuntu-upgrade-linux-image-generic-64k-hwe-22-04
- ubuntu-upgrade-linux-image-generic-hwe-18-04
- ubuntu-upgrade-linux-image-generic-hwe-20-04
- ubuntu-upgrade-linux-image-generic-hwe-22-04
- ubuntu-upgrade-linux-image-generic-lpae
- ubuntu-upgrade-linux-image-generic-lpae-hwe-20-04
- ubuntu-upgrade-linux-image-gke
- ubuntu-upgrade-linux-image-gke-5-15
- ubuntu-upgrade-linux-image-gkeop
- ubuntu-upgrade-linux-image-gkeop-5-15
- ubuntu-upgrade-linux-image-gkeop-5-4
- ubuntu-upgrade-linux-image-ibm
- ubuntu-upgrade-linux-image-ibm-lts-20-04
- ubuntu-upgrade-linux-image-intel
- ubuntu-upgrade-linux-image-intel-iotg
- ubuntu-upgrade-linux-image-kvm
- ubuntu-upgrade-linux-image-laptop-23-10
- ubuntu-upgrade-linux-image-lowlatency
- ubuntu-upgrade-linux-image-lowlatency-64k
- ubuntu-upgrade-linux-image-lowlatency-64k-hwe-20-04
- ubuntu-upgrade-linux-image-lowlatency-64k-hwe-22-04
- ubuntu-upgrade-linux-image-lowlatency-hwe-18-04
- ubuntu-upgrade-linux-image-lowlatency-hwe-20-04
- ubuntu-upgrade-linux-image-lowlatency-hwe-22-04
- ubuntu-upgrade-linux-image-nvidia
- ubuntu-upgrade-linux-image-nvidia-6-5
- ubuntu-upgrade-linux-image-nvidia-64k-6-5
- ubuntu-upgrade-linux-image-nvidia-64k-hwe-22-04
- ubuntu-upgrade-linux-image-nvidia-hwe-22-04
- ubuntu-upgrade-linux-image-nvidia-lowlatency
- ubuntu-upgrade-linux-image-oem
- ubuntu-upgrade-linux-image-oem-20-04
- ubuntu-upgrade-linux-image-oem-20-04b
- ubuntu-upgrade-linux-image-oem-20-04c
- ubuntu-upgrade-linux-image-oem-20-04d
- ubuntu-upgrade-linux-image-oem-22-04
- ubuntu-upgrade-linux-image-oem-22-04a
- ubuntu-upgrade-linux-image-oem-22-04b
- ubuntu-upgrade-linux-image-oem-22-04c
- ubuntu-upgrade-linux-image-oem-22-04d
- ubuntu-upgrade-linux-image-oem-osp1
- ubuntu-upgrade-linux-image-oracle
- ubuntu-upgrade-linux-image-oracle-64k
- ubuntu-upgrade-linux-image-oracle-lts-20-04
- ubuntu-upgrade-linux-image-oracle-lts-22-04
- ubuntu-upgrade-linux-image-raspi
- ubuntu-upgrade-linux-image-raspi-hwe-18-04
- ubuntu-upgrade-linux-image-raspi-nolpae
- ubuntu-upgrade-linux-image-raspi2
- ubuntu-upgrade-linux-image-snapdragon-hwe-18-04
- ubuntu-upgrade-linux-image-starfive
- ubuntu-upgrade-linux-image-virtual
- ubuntu-upgrade-linux-image-virtual-hwe-18-04
- ubuntu-upgrade-linux-image-virtual-hwe-20-04
- ubuntu-upgrade-linux-image-virtual-hwe-22-04
- ubuntu-upgrade-linux-image-xilinx-zynqmp
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center