CVE-2023-52452 (GCVE-0-2023-52452)

Vulnerability from cvelistv5 – Published: 2024-02-22 16:21 – Updated: 2025-05-04 12:49
VLAI?
Title
bpf: Fix accesses to uninit stack slots
Summary
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix accesses to uninit stack slots Privileged programs are supposed to be able to read uninitialized stack memory (ever since 6715df8d5) but, before this patch, these accesses were permitted inconsistently. In particular, accesses were permitted above state->allocated_stack, but not below it. In other words, if the stack was already "large enough", the access was permitted, but otherwise the access was rejected instead of being allowed to "grow the stack". This undesired rejection was happening in two places: - in check_stack_slot_within_bounds() - in check_stack_range_initialized() This patch arranges for these accesses to be permitted. A bunch of tests that were relying on the old rejection had to change; all of them were changed to add also run unprivileged, in which case the old behavior persists. One tests couldn't be updated - global_func16 - because it can't run unprivileged for other reasons. This patch also fixes the tracking of the stack size for variable-offset reads. This second fix is bundled in the same commit as the first one because they're inter-related. Before this patch, writes to the stack using registers containing a variable offset (as opposed to registers with fixed, known values) were not properly contributing to the function's needed stack size. As a result, it was possible for a program to verify, but then to attempt to read out-of-bounds data at runtime because a too small stack had been allocated for it. Each function tracks the size of the stack it needs in bpf_subprog_info.stack_depth, which is maintained by update_stack_depth(). For regular memory accesses, check_mem_access() was calling update_state_depth() but it was passing in only the fixed part of the offset register, ignoring the variable offset. This was incorrect; the minimum possible value of that register should be used instead. This tracking is now fixed by centralizing the tracking of stack size in grow_stack_state(), and by lifting the calls to grow_stack_state() to check_stack_access_within_bounds() as suggested by Andrii. The code is now simpler and more convincingly tracks the correct maximum stack size. check_stack_range_initialized() can now rely on enough stack having been allocated for the access; this helps with the fix for the first issue. A few tests were changed to also check the stack depth computation. The one that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 01f810ace9ed37255f27608a0864abebccf0aab3 , < 0954982db8283016bf38e9db2da5adf47a102e19 (git)
Affected: 01f810ace9ed37255f27608a0864abebccf0aab3 , < fbcf372c8eda2290470268e0afb5ab5d5f5d5fde (git)
Affected: 01f810ace9ed37255f27608a0864abebccf0aab3 , < 6b4a64bafd107e521c01eec3453ce94a3fb38529 (git)
Affected: f3c4b01689d392373301e6e60d1b02c5b4020afc (git)
Affected: d1b725ea5d104caea250427899f4e2e3ab15b4fc (git)
Create a notification for this product.
    Linux Linux Affected: 5.12
Unaffected: 0 , < 5.12 (semver)
Unaffected: 6.6.14 , ≤ 6.6.* (semver)
Unaffected: 6.7.2 , ≤ 6.7.* (semver)
Unaffected: 6.8 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52452",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-22T19:34:47.236363Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-05T17:21:01.979Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T22:55:41.850Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/verifier.c",
            "tools/testing/selftests/bpf/progs/iters.c",
            "tools/testing/selftests/bpf/progs/test_global_func16.c",
            "tools/testing/selftests/bpf/progs/verifier_basic_stack.c",
            "tools/testing/selftests/bpf/progs/verifier_int_ptr.c",
            "tools/testing/selftests/bpf/progs/verifier_raw_stack.c",
            "tools/testing/selftests/bpf/progs/verifier_var_off.c",
            "tools/testing/selftests/bpf/verifier/atomic_cmpxchg.c",
            "tools/testing/selftests/bpf/verifier/calls.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0954982db8283016bf38e9db2da5adf47a102e19",
              "status": "affected",
              "version": "01f810ace9ed37255f27608a0864abebccf0aab3",
              "versionType": "git"
            },
            {
              "lessThan": "fbcf372c8eda2290470268e0afb5ab5d5f5d5fde",
              "status": "affected",
              "version": "01f810ace9ed37255f27608a0864abebccf0aab3",
              "versionType": "git"
            },
            {
              "lessThan": "6b4a64bafd107e521c01eec3453ce94a3fb38529",
              "status": "affected",
              "version": "01f810ace9ed37255f27608a0864abebccf0aab3",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f3c4b01689d392373301e6e60d1b02c5b4020afc",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d1b725ea5d104caea250427899f4e2e3ab15b4fc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/verifier.c",
            "tools/testing/selftests/bpf/progs/iters.c",
            "tools/testing/selftests/bpf/progs/test_global_func16.c",
            "tools/testing/selftests/bpf/progs/verifier_basic_stack.c",
            "tools/testing/selftests/bpf/progs/verifier_int_ptr.c",
            "tools/testing/selftests/bpf/progs/verifier_raw_stack.c",
            "tools/testing/selftests/bpf/progs/verifier_var_off.c",
            "tools/testing/selftests/bpf/verifier/atomic_cmpxchg.c",
            "tools/testing/selftests/bpf/verifier/calls.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.14",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.2",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.11.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix accesses to uninit stack slots\n\nPrivileged programs are supposed to be able to read uninitialized stack\nmemory (ever since 6715df8d5) but, before this patch, these accesses\nwere permitted inconsistently. In particular, accesses were permitted\nabove state-\u003eallocated_stack, but not below it. In other words, if the\nstack was already \"large enough\", the access was permitted, but\notherwise the access was rejected instead of being allowed to \"grow the\nstack\". This undesired rejection was happening in two places:\n- in check_stack_slot_within_bounds()\n- in check_stack_range_initialized()\nThis patch arranges for these accesses to be permitted. A bunch of tests\nthat were relying on the old rejection had to change; all of them were\nchanged to add also run unprivileged, in which case the old behavior\npersists. One tests couldn\u0027t be updated - global_func16 - because it\ncan\u0027t run unprivileged for other reasons.\n\nThis patch also fixes the tracking of the stack size for variable-offset\nreads. This second fix is bundled in the same commit as the first one\nbecause they\u0027re inter-related. Before this patch, writes to the stack\nusing registers containing a variable offset (as opposed to registers\nwith fixed, known values) were not properly contributing to the\nfunction\u0027s needed stack size. As a result, it was possible for a program\nto verify, but then to attempt to read out-of-bounds data at runtime\nbecause a too small stack had been allocated for it.\n\nEach function tracks the size of the stack it needs in\nbpf_subprog_info.stack_depth, which is maintained by\nupdate_stack_depth(). For regular memory accesses, check_mem_access()\nwas calling update_state_depth() but it was passing in only the fixed\npart of the offset register, ignoring the variable offset. This was\nincorrect; the minimum possible value of that register should be used\ninstead.\n\nThis tracking is now fixed by centralizing the tracking of stack size in\ngrow_stack_state(), and by lifting the calls to grow_stack_state() to\ncheck_stack_access_within_bounds() as suggested by Andrii. The code is\nnow simpler and more convincingly tracks the correct maximum stack size.\ncheck_stack_range_initialized() can now rely on enough stack having been\nallocated for the access; this helps with the fix for the first issue.\n\nA few tests were changed to also check the stack depth computation. The\none that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:49:02.146Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529"
        }
      ],
      "title": "bpf: Fix accesses to uninit stack slots",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52452",
    "datePublished": "2024-02-22T16:21:43.094Z",
    "dateReserved": "2024-02-20T12:30:33.293Z",
    "dateUpdated": "2025-05-04T12:49:02.146Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T22:55:41.850Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-52452\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-22T19:34:47.236363Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-05T15:20:37.631Z\"}}], \"cna\": {\"title\": \"bpf: Fix accesses to uninit stack slots\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"01f810ace9ed37255f27608a0864abebccf0aab3\", \"lessThan\": \"0954982db8283016bf38e9db2da5adf47a102e19\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"01f810ace9ed37255f27608a0864abebccf0aab3\", \"lessThan\": \"fbcf372c8eda2290470268e0afb5ab5d5f5d5fde\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"01f810ace9ed37255f27608a0864abebccf0aab3\", \"lessThan\": \"6b4a64bafd107e521c01eec3453ce94a3fb38529\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f3c4b01689d392373301e6e60d1b02c5b4020afc\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"d1b725ea5d104caea250427899f4e2e3ab15b4fc\", \"versionType\": \"git\"}], \"programFiles\": [\"kernel/bpf/verifier.c\", \"tools/testing/selftests/bpf/progs/iters.c\", \"tools/testing/selftests/bpf/progs/test_global_func16.c\", \"tools/testing/selftests/bpf/progs/verifier_basic_stack.c\", \"tools/testing/selftests/bpf/progs/verifier_int_ptr.c\", \"tools/testing/selftests/bpf/progs/verifier_raw_stack.c\", \"tools/testing/selftests/bpf/progs/verifier_var_off.c\", \"tools/testing/selftests/bpf/verifier/atomic_cmpxchg.c\", \"tools/testing/selftests/bpf/verifier/calls.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.12\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.12\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.6.14\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.7.2\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.7.*\"}, {\"status\": \"unaffected\", \"version\": \"6.8\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"kernel/bpf/verifier.c\", \"tools/testing/selftests/bpf/progs/iters.c\", \"tools/testing/selftests/bpf/progs/test_global_func16.c\", \"tools/testing/selftests/bpf/progs/verifier_basic_stack.c\", \"tools/testing/selftests/bpf/progs/verifier_int_ptr.c\", \"tools/testing/selftests/bpf/progs/verifier_raw_stack.c\", \"tools/testing/selftests/bpf/progs/verifier_var_off.c\", \"tools/testing/selftests/bpf/verifier/atomic_cmpxchg.c\", \"tools/testing/selftests/bpf/verifier/calls.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19\"}, {\"url\": \"https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde\"}, {\"url\": \"https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fix accesses to uninit stack slots\\n\\nPrivileged programs are supposed to be able to read uninitialized stack\\nmemory (ever since 6715df8d5) but, before this patch, these accesses\\nwere permitted inconsistently. In particular, accesses were permitted\\nabove state-\u003eallocated_stack, but not below it. In other words, if the\\nstack was already \\\"large enough\\\", the access was permitted, but\\notherwise the access was rejected instead of being allowed to \\\"grow the\\nstack\\\". This undesired rejection was happening in two places:\\n- in check_stack_slot_within_bounds()\\n- in check_stack_range_initialized()\\nThis patch arranges for these accesses to be permitted. A bunch of tests\\nthat were relying on the old rejection had to change; all of them were\\nchanged to add also run unprivileged, in which case the old behavior\\npersists. One tests couldn\u0027t be updated - global_func16 - because it\\ncan\u0027t run unprivileged for other reasons.\\n\\nThis patch also fixes the tracking of the stack size for variable-offset\\nreads. This second fix is bundled in the same commit as the first one\\nbecause they\u0027re inter-related. Before this patch, writes to the stack\\nusing registers containing a variable offset (as opposed to registers\\nwith fixed, known values) were not properly contributing to the\\nfunction\u0027s needed stack size. As a result, it was possible for a program\\nto verify, but then to attempt to read out-of-bounds data at runtime\\nbecause a too small stack had been allocated for it.\\n\\nEach function tracks the size of the stack it needs in\\nbpf_subprog_info.stack_depth, which is maintained by\\nupdate_stack_depth(). For regular memory accesses, check_mem_access()\\nwas calling update_state_depth() but it was passing in only the fixed\\npart of the offset register, ignoring the variable offset. This was\\nincorrect; the minimum possible value of that register should be used\\ninstead.\\n\\nThis tracking is now fixed by centralizing the tracking of stack size in\\ngrow_stack_state(), and by lifting the calls to grow_stack_state() to\\ncheck_stack_access_within_bounds() as suggested by Andrii. The code is\\nnow simpler and more convincingly tracks the correct maximum stack size.\\ncheck_stack_range_initialized() can now rely on enough stack having been\\nallocated for the access; this helps with the fix for the first issue.\\n\\nA few tests were changed to also check the stack depth computation. The\\none that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.14\", \"versionStartIncluding\": \"5.12\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.7.2\", \"versionStartIncluding\": \"5.12\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.8\", \"versionStartIncluding\": \"5.12\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"5.10.33\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"5.11.17\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T12:49:02.146Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-52452\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T12:49:02.146Z\", \"dateReserved\": \"2024-02-20T12:30:33.293Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-02-22T16:21:43.094Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.