gsd-2021-46974
Vulnerability from gsd
Modified
2024-02-28 06:03
Details
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix masking negation logic upon negative dst register
The negation logic for the case where the off_reg is sitting in the
dst register is not correct given then we cannot just invert the add
to a sub or vice versa. As a fix, perform the final bitwise and-op
unconditionally into AX from the off_reg, then move the pointer from
the src to dst and finally use AX as the source for the original
pointer arithmetic operation such that the inversion yields a correct
result. The single non-AX mov in between is possible given constant
blinding is retaining it as it's not an immediate based operation.
Aliases
{
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-46974"
],
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix masking negation logic upon negative dst register\n\nThe negation logic for the case where the off_reg is sitting in the\ndst register is not correct given then we cannot just invert the add\nto a sub or vice versa. As a fix, perform the final bitwise and-op\nunconditionally into AX from the off_reg, then move the pointer from\nthe src to dst and finally use AX as the source for the original\npointer arithmetic operation such that the inversion yields a correct\nresult. The single non-AX mov in between is possible given constant\nblinding is retaining it as it\u0027s not an immediate based operation.",
"id": "GSD-2021-46974",
"modified": "2024-02-28T06:03:57.702249Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@kernel.org",
"ID": "CVE-2021-46974",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Linux",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "ae03b6b1c880",
"version_value": "4d542ddb88fb"
},
{
"version_affected": "\u003c",
"version_name": "f92a819b4cbe",
"version_value": "0e2dfdc74a7f"
},
{
"version_affected": "\u003c",
"version_name": "979d63d50c0c",
"version_value": "53e0db429b37"
},
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"defaultStatus": "affected",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.233",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.190",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.117",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.35",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.11.*",
"status": "unaffected",
"version": "5.11.19",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"version": "5.12.2",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.13",
"versionType": "original_commit_for_fix"
}
]
}
}
]
}
}
]
},
"vendor_name": "Linux"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix masking negation logic upon negative dst register\n\nThe negation logic for the case where the off_reg is sitting in the\ndst register is not correct given then we cannot just invert the add\nto a sub or vice versa. As a fix, perform the final bitwise and-op\nunconditionally into AX from the off_reg, then move the pointer from\nthe src to dst and finally use AX as the source for the original\npointer arithmetic operation such that the inversion yields a correct\nresult. The single non-AX mov in between is possible given constant\nblinding is retaining it as it\u0027s not an immediate based operation."
}
]
},
"generator": {
"engine": "bippy-5f0117140d9a"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://git.kernel.org/stable/c/4d542ddb88fb2f39bf7f14caa2902f3e8d06f6ba",
"refsource": "MISC",
"url": "https://git.kernel.org/stable/c/4d542ddb88fb2f39bf7f14caa2902f3e8d06f6ba"
},
{
"name": "https://git.kernel.org/stable/c/0e2dfdc74a7f4036127356d42ea59388f153f42c",
"refsource": "MISC",
"url": "https://git.kernel.org/stable/c/0e2dfdc74a7f4036127356d42ea59388f153f42c"
},
{
"name": "https://git.kernel.org/stable/c/53e0db429b37a32b8fc706d0d90eb4583ad13848",
"refsource": "MISC",
"url": "https://git.kernel.org/stable/c/53e0db429b37a32b8fc706d0d90eb4583ad13848"
},
{
"name": "https://git.kernel.org/stable/c/2cfa537674cd1051a3b8111536d77d0558f33d5d",
"refsource": "MISC",
"url": "https://git.kernel.org/stable/c/2cfa537674cd1051a3b8111536d77d0558f33d5d"
},
{
"name": "https://git.kernel.org/stable/c/6eba92a4d4be8feb4dc33976abac544fa99d6ecc",
"refsource": "MISC",
"url": "https://git.kernel.org/stable/c/6eba92a4d4be8feb4dc33976abac544fa99d6ecc"
},
{
"name": "https://git.kernel.org/stable/c/7cf64d8679ca1cb20cf57d6a88bfee79a0922a66",
"refsource": "MISC",
"url": "https://git.kernel.org/stable/c/7cf64d8679ca1cb20cf57d6a88bfee79a0922a66"
},
{
"name": "https://git.kernel.org/stable/c/b9b34ddbe2076ade359cd5ce7537d5ed019e9807",
"refsource": "MISC",
"url": "https://git.kernel.org/stable/c/b9b34ddbe2076ade359cd5ce7537d5ed019e9807"
}
]
}
},
"nvd.nist.gov": {
"cve": {
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix masking negation logic upon negative dst register\n\nThe negation logic for the case where the off_reg is sitting in the\ndst register is not correct given then we cannot just invert the add\nto a sub or vice versa. As a fix, perform the final bitwise and-op\nunconditionally into AX from the off_reg, then move the pointer from\nthe src to dst and finally use AX as the source for the original\npointer arithmetic operation such that the inversion yields a correct\nresult. The single non-AX mov in between is possible given constant\nblinding is retaining it as it\u0027s not an immediate based operation."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: corrige la l\u00f3gica de negaci\u00f3n de enmascaramiento en el registro dst negativo. La l\u00f3gica de negaci\u00f3n para el caso en el que off_reg se encuentra en el registro dst no es correcta, dado que entonces no podemos simplemente invertir la adici\u00f3n a un sub o viceversa. Como soluci\u00f3n, realice la operaci\u00f3n final bit a bit incondicionalmente en AX desde off_reg, luego mueva el puntero de src a dst y finalmente use AX como fuente para la operaci\u00f3n aritm\u00e9tica del puntero original de modo que la inversi\u00f3n produzca un resultado correcto. El \u00fanico movimiento que no sea AX en el medio es posible dado que el cegamiento constante lo retiene, ya que no es una operaci\u00f3n inmediata."
}
],
"id": "CVE-2021-46974",
"lastModified": "2024-02-28T14:06:45.783",
"metrics": {},
"published": "2024-02-27T19:04:07.500",
"references": [
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/0e2dfdc74a7f4036127356d42ea59388f153f42c"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/2cfa537674cd1051a3b8111536d77d0558f33d5d"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/4d542ddb88fb2f39bf7f14caa2902f3e8d06f6ba"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/53e0db429b37a32b8fc706d0d90eb4583ad13848"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/6eba92a4d4be8feb4dc33976abac544fa99d6ecc"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/7cf64d8679ca1cb20cf57d6a88bfee79a0922a66"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/b9b34ddbe2076ade359cd5ce7537d5ed019e9807"
}
],
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"vulnStatus": "Awaiting Analysis"
}
}
}
}
Loading...