cve-2024-26885
Vulnerability from cvelistv5
Published
2024-04-17 10:27
Modified
2024-11-08 15:55
Severity ?
Summary
bpf: Fix DEVMAP_HASH overflow check on 32-bit arches
Impacted products
Vendor Product Version
Linux Linux Version: 5.4
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:5.4:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "status": "affected",
                "version": "5.4"
              },
              {
                "status": "affected",
                "version": "6f9d451ab1a3"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26885",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-28T19:51:32.926370Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:49:30.477Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:21:05.424Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/225da02acdc97af01b6bc6ce1a3e5362bf01d3fb"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c826502bed93970f2fd488918a7b8d5f1d30e2e3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/edf7990baa48de5097daa9ac02e06cb4c798a737"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/250051acc21f9d4c5c595e4fcb55986ea08c4691"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/22079b3a423382335f47d9ed32114e6c9fe88d7c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e89386f62ce9a9ab9a94835a9890883c23d9d52c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/281d464a34f540de166cee74b723e97ac2515ec3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/devmap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1f5e352b9088",
              "status": "affected",
              "version": "6f9d451ab1a3",
              "versionType": "git"
            },
            {
              "lessThan": "225da02acdc9",
              "status": "affected",
              "version": "6f9d451ab1a3",
              "versionType": "git"
            },
            {
              "lessThan": "4b81a9f92b36",
              "status": "affected",
              "version": "6f9d451ab1a3",
              "versionType": "git"
            },
            {
              "lessThan": "c826502bed93",
              "status": "affected",
              "version": "6f9d451ab1a3",
              "versionType": "git"
            },
            {
              "lessThan": "edf7990baa48",
              "status": "affected",
              "version": "6f9d451ab1a3",
              "versionType": "git"
            },
            {
              "lessThan": "250051acc21f",
              "status": "affected",
              "version": "6f9d451ab1a3",
              "versionType": "git"
            },
            {
              "lessThan": "22079b3a4233",
              "status": "affected",
              "version": "6f9d451ab1a3",
              "versionType": "git"
            },
            {
              "lessThan": "e89386f62ce9",
              "status": "affected",
              "version": "6f9d451ab1a3",
              "versionType": "git"
            },
            {
              "lessThan": "281d464a34f5",
              "status": "affected",
              "version": "6f9d451ab1a3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/devmap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.285",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.214",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.227",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.153",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix DEVMAP_HASH overflow check on 32-bit arches\n\nThe devmap code allocates a number hash buckets equal to the next power\nof two of the max_entries value provided when creating the map. When\nrounding up to the next power of two, the 32-bit variable storing the\nnumber of buckets can overflow, and the code checks for overflow by\nchecking if the truncated 32-bit value is equal to 0. However, on 32-bit\narches the rounding up itself can overflow mid-way through, because it\nends up doing a left-shift of 32 bits on an unsigned long value. If the\nsize of an unsigned long is four bytes, this is undefined behaviour, so\nthere is no guarantee that we\u0027ll end up with a nice and tidy 0-value at\nthe end.\n\nSyzbot managed to turn this into a crash on arm32 by creating a\nDEVMAP_HASH with max_entries \u003e 0x80000000 and then trying to update it.\nFix this by moving the overflow check to before the rounding up\noperation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-08T15:55:29.315Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1f5e352b9088211fa5eb4e1639cd365f4f7d2f65"
        },
        {
          "url": "https://git.kernel.org/stable/c/225da02acdc97af01b6bc6ce1a3e5362bf01d3fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b81a9f92b3676cb74b907a7a209b3d15bd9a7f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/c826502bed93970f2fd488918a7b8d5f1d30e2e3"
        },
        {
          "url": "https://git.kernel.org/stable/c/edf7990baa48de5097daa9ac02e06cb4c798a737"
        },
        {
          "url": "https://git.kernel.org/stable/c/250051acc21f9d4c5c595e4fcb55986ea08c4691"
        },
        {
          "url": "https://git.kernel.org/stable/c/22079b3a423382335f47d9ed32114e6c9fe88d7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/e89386f62ce9a9ab9a94835a9890883c23d9d52c"
        },
        {
          "url": "https://git.kernel.org/stable/c/281d464a34f540de166cee74b723e97ac2515ec3"
        }
      ],
      "title": "bpf: Fix DEVMAP_HASH overflow check on 32-bit arches",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26885",
    "datePublished": "2024-04-17T10:27:40.300Z",
    "dateReserved": "2024-02-19T14:20:24.185Z",
    "dateUpdated": "2024-11-08T15:55:29.315Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26885\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-17T11:15:10.210\",\"lastModified\":\"2024-11-08T16:15:19.893\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fix DEVMAP_HASH overflow check on 32-bit arches\\n\\nThe devmap code allocates a number hash buckets equal to the next power\\nof two of the max_entries value provided when creating the map. When\\nrounding up to the next power of two, the 32-bit variable storing the\\nnumber of buckets can overflow, and the code checks for overflow by\\nchecking if the truncated 32-bit value is equal to 0. However, on 32-bit\\narches the rounding up itself can overflow mid-way through, because it\\nends up doing a left-shift of 32 bits on an unsigned long value. If the\\nsize of an unsigned long is four bytes, this is undefined behaviour, so\\nthere is no guarantee that we\u0027ll end up with a nice and tidy 0-value at\\nthe end.\\n\\nSyzbot managed to turn this into a crash on arm32 by creating a\\nDEVMAP_HASH with max_entries \u003e 0x80000000 and then trying to update it.\\nFix this by moving the overflow check to before the rounding up\\noperation.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: bpf: corrige la verificaci\u00f3n de desbordamiento de DEVMAP_HASH en arcos de 32 bits. El c\u00f3digo devmap asigna un n\u00famero de dep\u00f3sitos de hash igual a la siguiente potencia de dos del valor max_entries proporcionado al crear el mapa. Al redondear a la siguiente potencia de dos, la variable de 32 bits que almacena el n\u00famero de dep\u00f3sitos puede desbordarse, y el c\u00f3digo verifica el desbordamiento comprobando si el valor truncado de 32 bits es igual a 0. Sin embargo, en arcos de 32 bits el redondeo hacia arriba puede desbordarse a mitad de camino, porque termina haciendo un desplazamiento hacia la izquierda de 32 bits en un valor largo sin signo. Si el tama\u00f1o de un largo sin firmar es de cuatro bytes, este es un comportamiento indefinido, por lo que no hay garant\u00eda de que terminemos con un valor 0 agradable y ordenado al final. Syzbot logr\u00f3 convertir esto en un bloqueo en arm32 creando un DEVMAP_HASH con max_entries \u0026gt; 0x80000000 y luego intentando actualizarlo. Solucione este problema moviendo la verificaci\u00f3n de desbordamiento antes de la operaci\u00f3n de redondeo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-119\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.4\",\"versionEndExcluding\":\"5.10.214\",\"matchCriteriaId\":\"8046F4BF-7BC0-4D82-8E17-E06BA6DC8E1D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.153\",\"matchCriteriaId\":\"ACB69438-845D-4E3C-B114-3140611F9C0B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.83\",\"matchCriteriaId\":\"121A07F6-F505-4C47-86BF-9BB6CC7B6C19\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.23\",\"matchCriteriaId\":\"E00814DC-0BA7-431A-9926-80FEB4A96C68\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.7.11\",\"matchCriteriaId\":\"9B95D3A6-E162-47D5-ABFC-F3FA74FA7CFD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.8\",\"versionEndExcluding\":\"6.8.2\",\"matchCriteriaId\":\"543A75FF-25B8-4046-A514-1EA8EDD87AB1\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1f5e352b9088211fa5eb4e1639cd365f4f7d2f65\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/22079b3a423382335f47d9ed32114e6c9fe88d7c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/225da02acdc97af01b6bc6ce1a3e5362bf01d3fb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/250051acc21f9d4c5c595e4fcb55986ea08c4691\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/281d464a34f540de166cee74b723e97ac2515ec3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4b81a9f92b3676cb74b907a7a209b3d15bd9a7f9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c826502bed93970f2fd488918a7b8d5f1d30e2e3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e89386f62ce9a9ab9a94835a9890883c23d9d52c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/edf7990baa48de5097daa9ac02e06cb4c798a737\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.