{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-56702", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-27T15:00:39.856Z", "datePublished": "2024-12-28T09:46:24.244Z", "dateUpdated": "2025-01-20T06:26:30.388Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-01-20T06:26:30.388Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Mark raw_tp arguments with PTR_MAYBE_NULL\n\nArguments to a raw tracepoint are tagged as trusted, which carries the\nsemantics that the pointer will be non-NULL. However, in certain cases,\na raw tracepoint argument may end up being NULL. More context about this\nissue is available in [0].\n\nThus, there is a discrepancy between the reality, that raw_tp arguments\ncan actually be NULL, and the verifier's knowledge, that they are never\nNULL, causing explicit NULL checks to be deleted, and accesses to such\npointers potentially crashing the kernel.\n\nTo fix this, mark raw_tp arguments as PTR_MAYBE_NULL, and then special\ncase the dereference and pointer arithmetic to permit it, and allow\npassing them into helpers/kfuncs; these exceptions are made for raw_tp\nprograms only. Ensure that we don't do this when ref_obj_id > 0, as in\nthat case this is an acquired object and doesn't need such adjustment.\n\nThe reason we do mask_raw_tp_trusted_reg logic is because other will\nrecheck in places whether the register is a trusted_reg, and then\nconsider our register as untrusted when detecting the presence of the\nPTR_MAYBE_NULL flag.\n\nTo allow safe dereference, we enable PROBE_MEM marking when we see loads\ninto trusted pointers with PTR_MAYBE_NULL.\n\nWhile trusted raw_tp arguments can also be passed into helpers or kfuncs\nwhere such broken assumption may cause issues, a future patch set will\ntackle their case separately, as PTR_TO_BTF_ID (without PTR_TRUSTED) can\nalready be passed into helpers and causes similar problems. Thus, they\nare left alone for now.\n\nIt is possible that these checks also permit passing non-raw_tp args\nthat are trusted PTR_TO_BTF_ID with null marking. In such a case,\nallowing dereference when pointer is NULL expands allowed behavior, so\nwon't regress existing programs, and the case of passing these into\nhelpers is the same as above and will be dealt with later.\n\nAlso update the failure case in tp_btf_nullable selftest to capture the\nnew behavior, as the verifier will no longer cause an error when\ndirectly dereference a raw tracepoint argument marked as __nullable.\n\n [0]: https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csb"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/bpf.h", "kernel/bpf/btf.c", "kernel/bpf/verifier.c", "tools/testing/selftests/bpf/progs/test_tp_btf_nullable.c"], "versions": [{"version": "3f00c52393445ed49aadc1a567aa502c6333b1a1", "lessThan": "c9b91d2d54175f781ad2c361cb2ac2c0e29b14b6", "status": "affected", "versionType": "git"}, {"version": "3f00c52393445ed49aadc1a567aa502c6333b1a1", "lessThan": "3634d4a310820567fc634bf8f1ee2b91378773e8", "status": "affected", "versionType": "git"}, {"version": "3f00c52393445ed49aadc1a567aa502c6333b1a1", "lessThan": "cb4158ce8ec8a5bb528cc1693356a5eb8058094d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/bpf.h", "kernel/bpf/btf.c", "kernel/bpf/verifier.c", "tools/testing/selftests/bpf/progs/test_tp_btf_nullable.c"], "versions": [{"version": "6.2", "status": "affected"}, {"version": "0", "lessThan": "6.2", "status": "unaffected", "versionType": "semver"}, {"version": "6.11.11", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.2", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/c9b91d2d54175f781ad2c361cb2ac2c0e29b14b6"}, {"url": "https://git.kernel.org/stable/c/3634d4a310820567fc634bf8f1ee2b91378773e8"}, {"url": "https://git.kernel.org/stable/c/cb4158ce8ec8a5bb528cc1693356a5eb8058094d"}], "title": "bpf: Mark raw_tp arguments with PTR_MAYBE_NULL", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5EC3EA5-C348-4DEA-A771-70965BB6CE47", "versionEndExcluding": "6.11.11", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8882B1B-2ABC-4838-AC1D-DBDBB5764776", "versionEndExcluding": "6.12.2", "versionStartIncluding": "6.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Mark raw_tp arguments with PTR_MAYBE_NULL\n\nArguments to a raw tracepoint are tagged as trusted, which carries the\nsemantics that the pointer will be non-NULL. However, in certain cases,\na raw tracepoint argument may end up being NULL. More context about this\nissue is available in [0].\n\nThus, there is a discrepancy between the reality, that raw_tp arguments\ncan actually be NULL, and the verifier's knowledge, that they are never\nNULL, causing explicit NULL checks to be deleted, and accesses to such\npointers potentially crashing the kernel.\n\nTo fix this, mark raw_tp arguments as PTR_MAYBE_NULL, and then special\ncase the dereference and pointer arithmetic to permit it, and allow\npassing them into helpers/kfuncs; these exceptions are made for raw_tp\nprograms only. Ensure that we don't do this when ref_obj_id > 0, as in\nthat case this is an acquired object and doesn't need such adjustment.\n\nThe reason we do mask_raw_tp_trusted_reg logic is because other will\nrecheck in places whether the register is a trusted_reg, and then\nconsider our register as untrusted when detecting the presence of the\nPTR_MAYBE_NULL flag.\n\nTo allow safe dereference, we enable PROBE_MEM marking when we see loads\ninto trusted pointers with PTR_MAYBE_NULL.\n\nWhile trusted raw_tp arguments can also be passed into helpers or kfuncs\nwhere such broken assumption may cause issues, a future patch set will\ntackle their case separately, as PTR_TO_BTF_ID (without PTR_TRUSTED) can\nalready be passed into helpers and causes similar problems. Thus, they\nare left alone for now.\n\nIt is possible that these checks also permit passing non-raw_tp args\nthat are trusted PTR_TO_BTF_ID with null marking. In such a case,\nallowing dereference when pointer is NULL expands allowed behavior, so\nwon't regress existing programs, and the case of passing these into\nhelpers is the same as above and will be dealt with later.\n\nAlso update the failure case in tp_btf_nullable selftest to capture the\nnew behavior, as the verifier will no longer cause an error when\ndirectly dereference a raw tracepoint argument marked as __nullable.\n\n [0]: https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csb"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Marcar argumentos raw_tp con PTR_MAYBE_NULL Los argumentos para un tracepoint sin procesar se etiquetan como confiables, lo que conlleva la sem\u00e1ntica de que el puntero no ser\u00e1 NULL. Sin embargo, en ciertos casos, un argumento de tracepoint sin procesar puede terminar siendo NULL. Hay m\u00e1s contexto disponible sobre este problema en [0]. Por lo tanto, existe una discrepancia entre la realidad, que los argumentos raw_tp pueden ser NULL, y el conocimiento del verificador, de que nunca son NULL, lo que hace que se eliminen las comprobaciones NULL expl\u00edcitas y los accesos a dichos punteros potencialmente bloqueen el kernel. Para solucionar esto, marque los argumentos raw_tp como PTR_MAYBE_NULL y luego aplique un caso especial a la desreferencia y la aritm\u00e9tica de punteros para permitirlo, y permita pasarlos a ayudantes/kfuncs; estas excepciones se realizan solo para programas raw_tp. Aseg\u00farese de no hacer esto cuando ref_obj_id > 0, ya que en ese caso se trata de un objeto adquirido y no necesita dicho ajuste. La raz\u00f3n por la que hacemos la l\u00f3gica mask_raw_tp_trusted_reg es porque otros volver\u00e1n a verificar en algunos lugares si el registro es un trusted_reg y luego considerar\u00e1n nuestro registro como no confiable al detectar la presencia del indicador PTR_MAYBE_NULL. Para permitir una desreferencia segura, habilitamos el marcado PROBE_MEM cuando vemos cargas en punteros confiables con PTR_MAYBE_NULL. Si bien los argumentos raw_tp confiables tambi\u00e9n se pueden pasar a los ayudantes o kfuncs donde tal suposici\u00f3n rota puede causar problemas, un futuro conjunto de parches abordar\u00e1 su caso por separado, ya que PTR_TO_BTF_ID (sin PTR_TRUSTED) ya se puede pasar a los ayudantes y causa problemas similares. Por lo tanto, se dejan solos por ahora. Es posible que estas verificaciones tambi\u00e9n permitan pasar argumentos que no sean raw_tp que sean PTR_TO_BTF_ID confiables con marcado nulo. En tal caso, permitir la desreferencia cuando el puntero es NULL expande el comportamiento permitido, por lo que no se producir\u00e1 una regresi\u00f3n de los programas existentes, y el caso de pasarlos a los ayudantes es el mismo que el anterior y se tratar\u00e1 m\u00e1s adelante. Tambi\u00e9n actualice el caso de falla en la autoprueba tp_btf_nullable para capturar el nuevo comportamiento, ya que el verificador ya no provocar\u00e1 un error cuando desreferencia directamente un argumento de punto de seguimiento sin formato marcado como __nullable. [0]: https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csb"}], "id": "CVE-2024-56702", "lastModified": "2025-02-03T15:14:18.797", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-12-28T10:15:17.980", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3634d4a310820567fc634bf8f1ee2b91378773e8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c9b91d2d54175f781ad2c361cb2ac2c0e29b14b6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cb4158ce8ec8a5bb528cc1693356a5eb8058094d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: bpf: Mark raw_tp arguments with PTR_MAYBE_NULL", "id": "2334670", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334670"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nbpf: Mark raw_tp arguments with PTR_MAYBE_NULL\nArguments to a raw tracepoint are tagged as trusted, which carries the\nsemantics that the pointer will be non-NULL. However, in certain cases,\na raw tracepoint argument may end up being NULL. More context about this\nissue is available in [0].\nThus, there is a discrepancy between the reality, that raw_tp arguments\ncan actually be NULL, and the verifier's knowledge, that they are never\nNULL, causing explicit NULL checks to be deleted, and accesses to such\npointers potentially crashing the kernel.\nTo fix this, mark raw_tp arguments as PTR_MAYBE_NULL, and then special\ncase the dereference and pointer arithmetic to permit it, and allow\npassing them into helpers/kfuncs; these exceptions are made for raw_tp\nprograms only. Ensure that we don't do this when ref_obj_id > 0, as in\nthat case this is an acquired object and doesn't need such adjustment.\nThe reason we do mask_raw_tp_trusted_reg logic is because other will\nrecheck in places whether the register is a trusted_reg, and then\nconsider our register as untrusted when detecting the presence of the\nPTR_MAYBE_NULL flag.\nTo allow safe dereference, we enable PROBE_MEM marking when we see loads\ninto trusted pointers with PTR_MAYBE_NULL.\nWhile trusted raw_tp arguments can also be passed into helpers or kfuncs\nwhere such broken assumption may cause issues, a future patch set will\ntackle their case separately, as PTR_TO_BTF_ID (without PTR_TRUSTED) can\nalready be passed into helpers and causes similar problems. Thus, they\nare left alone for now.\nIt is possible that these checks also permit passing non-raw_tp args\nthat are trusted PTR_TO_BTF_ID with null marking. In such a case,\nallowing dereference when pointer is NULL expands allowed behavior, so\nwon't regress existing programs, and the case of passing these into\nhelpers is the same as above and will be dealt with later.\nAlso update the failure case in tp_btf_nullable selftest to capture the\nnew behavior, as the verifier will no longer cause an error when\ndirectly dereference a raw tracepoint argument marked as __nullable.\n[0]: https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csb"], "name": "CVE-2024-56702", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-12-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-56702\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-56702\nhttps://lore.kernel.org/linux-cve-announce/2024122837-CVE-2024-56702-172d@gregkh/T"], "statement": "The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space.\nFor the Red Hat Enterprise Linux 9 to confirm the current state, inspect the sysctl with the command:\ncat /proc/sys/kernel/unprivileged_bpf_disabled\nThe setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.", "threat_severity": "Low"}