In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stack-out-of-bounds write in devmap get_upper_ifindexes() iterates over all upper devices and writes their indices into an array without checking bounds. Also the callers assume that the max number of upper devices is MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack, but that assumption is not correct and the number of upper devices could be larger than MAX_NEST_DEV (e.g., many macvlans), causing a stack-out-of-bounds write. Add a max parameter to get_upper_ifindexes() to avoid the issue. When there are too many upper devices, return -EOVERFLOW and abort the redirect. To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS. Then send a packet to the device to trigger the XDP redirect path.
En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: bpf: Corrección de escritura fuera de límites de la pila en devmap get_upper_ifindexes() itera sobre todos los dispositivos superiores y escribe sus índices en un array sin comprobar los límites. Además, los llamadores asumen que el número máximo de dispositivos superiores es MAX_NEST_DEV y asignan excluded_devices[1+MAX_NEST_DEV] en la pila, pero esa suposición no es correcta y el número de dispositivos superiores podría ser mayor que MAX_NEST_DEV (por ejemplo, muchas macvlans), causando una escritura fuera de límites de la pila. Añadir un parámetro max a get_upper_ifindexes() para evitar el problema. Cuando hay demasiados dispositivos superiores, devolver -EOVERFLOW y abortar la redirección. Para reproducir, crear más de MAX_NEST_DEV(8) macvlans en un dispositivo con un programa XDP adjunto usando BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS. Luego enviar un paquete al dispositivo para activar la ruta de redirección XDP.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-787
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc3357c0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd67d740> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc1dc340> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdcc5a1c0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc334d00> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b8052e380> | Operating System |
| linux | linux_kernel | 5.15 | <built-in method update of dict object at 0x702b8052e900> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bfc1dfe40> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bfc1df200> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bfc336d80> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bfc1de200> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdd67c4c0> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdd67d100> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702b8052cdc0> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:5.15:-:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:* |