CVE-2024-45020

Daniel Hodges reported a kernel verifier crash when playing with sched-ext. Further investigation shows that the crash is due to invalid memory access in stacksafe(). More specifically, it is the following code:

if (exact != NOT_EXACT &&
    old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
    cur->stack[spi].slot_type[i % BPF_REG_SIZE])
        return false;

The 'i' iterates old->allocatedstack. If cur->allocatedstack < old->allocated_stack the out-of-bound access will happen.

To fix the issue add 'i >= cur->allocatedstack' check such that if the condition is true, stacksafe() should fail. Otherwise, cur->stack[spi].slottype[i % BPFREGSIZE] memory access is legal.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45020.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ab470fefce2837e66b771c60858118d50bb5bb10

Fixed

7cad3174cc79519bf5f6c4441780264416822c08

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

2793a8b015f7f1caadb9bce9c63dc659f7522676

Fixed

6e3987ac310c74bb4dd6a2fa8e46702fe505fb2b

Fixed

bed2eb964c70b780fb55925892a74f26cb590b25

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.48

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.10.7