Received: by 2002:a89:d88:0:b0:1fa:5c73:8e2d with SMTP id eb8csp318867lqb; Thu, 23 May 2024 21:36:30 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUousUGq9SeKJEJiWIahHWHsA3PlMG9Yssj5uCasK45R9s9NaFDCfDdphFRP3O/TeAo9ksERfsPz08BuwEUAxZXN3dJnypSamQidweSJg== X-Google-Smtp-Source: AGHT+IHExiLlO91maLqBXjzIR9wYNEGbutgtOuo3kU1va6/QHl34Shp8ynmxfILcVdWmWADUUl5W X-Received: by 2002:a05:6a00:4405:b0:6f8:caf2:8f4f with SMTP id d2e1a72fcca58-6f8f45d2624mr1239423b3a.33.1716525390061; Thu, 23 May 2024 21:36:30 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716525390; cv=pass; d=google.com; s=arc-20160816; b=iJ5tWgptnIwVngvzxWbZBz6RTNiANZzAoG1cGgyerBj47AH6ALFs1p/cssZGIam8YN QD8s60S+J1Hzdg/I9HyPf3usAkZmPiL1dpKqe3WlxjHqfCRGpm13v8Dn7qvbH98rD+L3 64rK5jDqylKYKYjgyXrD4DvB/dznu2spKMsBh4uVkyDOsuY66x9urIO9N9ErJwyYJYbv 4V6x9Qva3s8Y8/pmNZomPQidHcHjRR7WrYwJYmYHgpCvy4810cFILGYqh0jKEx6MXJTw Wjtsa6r7C214yxUR+n9RY6tmuzoAyj4OAGbfpt//It5D7v78CzuKD5aeBOukgWOSW/uA jjlw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=RiYFvDjbPXN3OTGC6h7qS9tfA9KBU5H6QhahNZxmkBI=; fh=/wt2TymyLdxb+j+4viH4KaOQk/6Vru9yyWVklmCBcEo=; b=Xl4evRJEsx2K8gRByOiER33myjyTEKNwIpSq42uV0IvAcQYI7U6TBmGxpPcHNIU1jV FpI6s5ZxfguNPkMKFzFmxmZwx05R5PSENwmy8CkExZwt5HJqPeyTYxOU6r/fAvtEDoVk OKQeUTED4SR0oa33/sp3JPThU5h3IKsQEduZ30p9Iex2ZAtVP0mIki9q+Wu4/OpeUv+3 f+umL5/uUu554YORL1xzo2PW3bvd47IErTfIL6WjHKRcqMMGEqo6+W3mxEdj1UmMB5xX lZeBuJrdBFGjcIC4CZieJ3bErGHmpQrI5iBJgy653ftCvoMDkfVxPS4NQ5Rhs3BvyxY8 Lf8g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=yAgG96Is; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-188310-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-188310-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id d2e1a72fcca58-6f8fda1b42dsi732874b3a.387.2024.05.23.21.36.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 May 2024 21:36:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-188310-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=yAgG96Is; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-188310-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-188310-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id A7A88283582 for ; Fri, 24 May 2024 04:36:29 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 99618383AE; Fri, 24 May 2024 04:36:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="yAgG96Is" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C4F542E644 for ; Fri, 24 May 2024 04:36:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716525382; cv=none; b=Atcdx5FmfGtE3S7bixCefUC5WfpPb98p/bDcBpCAlP6twrNNb+5itkqM2co5kndaw6jeqteIKHqHZz0pF7DAjQGX89Ctt3ryoVXzQ4J6igOBNtkjOKhucFV1VyFBmtiwMfyb+V6gAla+aNsbHd2lKYHcIDrHHGnXGFQ5I//+jzU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716525382; c=relaxed/simple; bh=lo6fRPZJ4lniRYSlcwAxNm39c3zT4LDJA+k+Id/50SA=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=FqVlLyxbj2YKOxCGMU8o4XDdBg0cgmzZ6Q8Ufz+nj7Zdjfvz3TZdIyAbNa4RlHDvytss5SiP5bYFWcgNeL5HwNBOl67snPygLQsYASl9gx7sIqY2fBCwvI43bbN7Yokvx0KmY8RPyNV1K2XB7wkypku6mFcVVCbfsJjTSTRlMS0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=yAgG96Is; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 03EA4C2BBFC; Fri, 24 May 2024 04:36:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1716525382; bh=lo6fRPZJ4lniRYSlcwAxNm39c3zT4LDJA+k+Id/50SA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=yAgG96IsgKvMBVeVyWhrsOddzgbcRUBy4j6xR67RBxSr8saxYoAMgJbQgPumocEkG MiUjootCHhD1o4qA6ihoyFvI81jxay6BZT5loXc1ppdEedhTwf9W+NddyDPK7li88n 74crn+rdF8vmd/2GhMbiP04BoBLmPNrmVnd+EEb0= Date: Fri, 24 May 2024 06:36:19 +0200 From: Greg Kroah-Hartman To: Shung-Hsi Yu Cc: cve@kernel.org, linux-kernel@vger.kernel.org, Michal Hocko Subject: Re: CVE-2023-52793: samples/bpf: syscall_tp_user: Fix array out-of-bound access Message-ID: <2024052404-founding-motion-5e89@gregkh> References: <7p643u2dcn6cen32dbtrcki62qrn3o2hyiplbx2hkpcojuiev5@3hbnkswhtha3> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7p643u2dcn6cen32dbtrcki62qrn3o2hyiplbx2hkpcojuiev5@3hbnkswhtha3> On Fri, May 24, 2024 at 11:58:54AM +0800, Shung-Hsi Yu wrote: > On Tue, 21 May 2024 17:31:29 +0200, Greg Kroah-Hartman wrote: > > Description > > =========== > > > > In the Linux kernel, the following vulnerability has been resolved: > > > > samples/bpf: syscall_tp_user: Fix array out-of-bound access > > > > Commit 06744f24696e ("samples/bpf: Add openat2() enter/exit tracepoint > > to syscall_tp sample") added two more eBPF programs to support the > > openat2() syscall. However, it did not increase the size of the array > > that holds the corresponding bpf_links. This leads to an out-of-bound > > access on that array in the bpf_object__for_each_program loop and could > > corrupt other variables on the stack. On our testing QEMU, it corrupts > > the map1_fds array and causes the sample to fail: > > > > # ./syscall_tp > > prog #0: map ids 4 5 > > verify map:4 val: 5 > > map_lookup failed: Bad file descriptor > > > > Dynamically allocate the array based on the number of programs reported > > by libbpf to prevent similar inconsistencies in the future > > > > The Linux kernel CVE team has assigned CVE-2023-52793 to this issue. > > I would like to dispute this CVE. > > Files in samples/bpf are meant to serve as an example and not code that > are directly used at run-time, hence I believe this bug does not have > security implication. You are right, sorry about that, now rejected. Thanks for the review! greg k-h