In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix DEVMAP_HASH overflow check on 32-bit arches
The devmap code allocates a number hash buckets equal to the next power
of two of the max_entries value provided when creating the map. When
rounding up to the next power of two, the 32-bit variable storing the
number of buckets can overflow, and the code checks for overflow by
checking if the truncated 32-bit value is equal to 0. However, on 32-bit
arches the rounding up itself can overflow mid-way through, because it
ends up doing a left-shift of 32 bits on an unsigned long value. If the
size of an unsigned long is four bytes, this is undefined behaviour, so
there is no guarantee that we'll end up with a nice and tidy 0-value at
the end.
Syzbot managed to turn this into a crash on arm32 by creating a
DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it.
Fix this by moving the overflow check to before the rounding up
operation.
Metrics
Affected Vendors & Products
References
History
Fri, 22 Nov 2024 12:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Fri, 08 Nov 2024 16:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Thu, 17 Oct 2024 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Thu, 17 Oct 2024 14:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
MITRE
Status: PUBLISHED
Assigner: Linux
Published: 2024-04-17T10:27:40.300Z
Updated: 2024-12-19T08:49:29.194Z
Reserved: 2024-02-19T14:20:24.185Z
Link: CVE-2024-26885
Vulnrichment
Updated: 2024-08-02T00:21:05.424Z
NVD
Status : Modified
Published: 2024-04-17T11:15:10.210
Modified: 2024-11-21T09:03:17.910
Link: CVE-2024-26885
Redhat