CVE & CISA-KEV Catalog

CVE-2023-52452

HIGH
7.8
CVSS v3
NVD

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix accesses to uninit stack slots Privileged programs are supposed to be able to read uninitialized stack memory (ever since 6715df8d5) but, before this patch, these accesses were permitted inconsistently. In particular, accesses were permitted above state->allocated_stack, but not below it. In other words, if the stack was already "large enough", the access was permitted, but otherwise the access was rejected instead of being allowed to "grow the stack". This undesired rejection was happening in two places: - in check_stack_slot_within_bounds() - in check_stack_range_initialized() This patch arranges for these accesses to be permitted. A bunch of tests that were relying on the old rejection had to change; all of them were changed to add also run unprivileged, in which case the old behavior persists. One tests couldn't be updated - global_func16 - because it can't run unprivileged for other reasons. This patch also fixes the tracking of the stack size for variable-offset reads. This second fix is bundled in the same commit as the first one because they're inter-related. Before this patch, writes to the stack using registers containing a variable offset (as opposed to registers with fixed, known values) were not properly contributing to the function's needed stack size. As a result, it was possible for a program to verify, but then to attempt to read out-of-bounds data at runtime because a too small stack had been allocated for it. Each function tracks the size of the stack it needs in bpf_subprog_info.stack_depth, which is maintained by update_stack_depth(). For regular memory accesses, check_mem_access() was calling update_state_depth() but it was passing in only the fixed part of the offset register, ignoring the variable offset. This was incorrect; the minimum possible value of that register should be used instead. This tracking is now fixed by centralizing the tracking of stack size in grow_stack_state(), and by lifting the calls to grow_stack_state() to check_stack_access_within_bounds() as suggested by Andrii. The code is now simpler and more convincingly tracks the correct maximum stack size. check_stack_range_initialized() can now rely on enough stack having been allocated for the access; this helps with the fix for the first issue. A few tests were changed to also check the stack depth computation. The one that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.

How to fix

Remediation Available
linuxDebian
Fixed in:6.6.15-1CVE-2023-52452
Fixed in:6.6.15-1CVE-2023-52452
linuxUbuntu
Fixed in:6.5.0-41.41USN-6818-1
linux-awsUbuntu
Fixed in:6.5.0-1021.21USN-6819-2
linux-azureUbuntu
Fixed in:6.5.0-1022.23USN-6819-1
linux-azure-6.5Ubuntu
Fixed in:6.5.0-1022.23~22.04.1USN-6819-1
linux-gcpUbuntu
Fixed in:6.5.0-1022.24USN-6818-1
linux-gcp-6.5Ubuntu
Fixed in:6.5.0-1022.24~22.04.1USN-6818-1
linux-hwe-6.5Ubuntu
Fixed in:6.5.0-41.41~22.04.2USN-6818-4
linux-image-6.5.0-1015-starfiveUbuntu
Fixed in:6.5.0-1015.16~22.04.1USN-6819-1
Fixed in:6.5.0-1015.16USN-6819-1
linux-image-6.5.0-1017-laptopUbuntu
Fixed in:6.5.0-1017.20USN-6818-2
linux-image-6.5.0-1018-raspiUbuntu
Fixed in:6.5.0-1018.21USN-6818-1
linux-image-6.5.0-1021-awsUbuntu
Fixed in:6.5.0-1021.21USN-6819-2
linux-image-6.5.0-1021-nvidiaUbuntu
Fixed in:6.5.0-1021.22USN-6818-3
linux-image-6.5.0-1021-nvidia-64kUbuntu
Fixed in:6.5.0-1021.22USN-6818-3
linux-image-6.5.0-1022-azureUbuntu
Fixed in:6.5.0-1022.23~22.04.1USN-6819-1
Fixed in:6.5.0-1022.23USN-6819-1
linux-image-6.5.0-1022-azure-fdeUbuntu
Fixed in:6.5.0-1022.23~22.04.1USN-6819-1
Fixed in:6.5.0-1022.23USN-6819-1
linux-image-6.5.0-1022-gcpUbuntu
Fixed in:6.5.0-1022.24~22.04.1USN-6818-1
Fixed in:6.5.0-1022.24USN-6818-1
linux-image-6.5.0-1024-oemUbuntu
Fixed in:6.5.0-1024.25USN-6819-3
linux-image-6.5.0-1024-oracleUbuntu
Fixed in:6.5.0-1024.24~22.04.1USN-6819-4
Fixed in:6.5.0-1024.24USN-6819-2
linux-image-6.5.0-1024-oracle-64kUbuntu
Fixed in:6.5.0-1024.24~22.04.1USN-6819-4
Fixed in:6.5.0-1024.24USN-6819-2
linux-image-6.5.0-41-genericUbuntu
Fixed in:6.5.0-41.41~22.04.2USN-6818-4
Fixed in:6.5.0-41.41USN-6818-1
linux-image-6.5.0-41-generic-64kUbuntu
Fixed in:6.5.0-41.41~22.04.2USN-6818-4
Fixed in:6.5.0-41.41USN-6818-1
linux-image-6.5.0-41-lowlatencyUbuntu
Fixed in:6.5.0-41.41.1~22.04.1USN-6818-1
Fixed in:6.5.0-41.41.1USN-6818-1
linux-image-6.5.0-41-lowlatency-64kUbuntu
Fixed in:6.5.0-41.41.1~22.04.1USN-6818-1
Fixed in:6.5.0-41.41.1USN-6818-1
linux-image-awsUbuntu
Fixed in:6.5.0.1021.21USN-6819-2
linux-image-azureUbuntu
Fixed in:6.5.0.1022.23~22.04.1USN-6819-1
Fixed in:6.5.0.1022.26USN-6819-1
linux-image-azure-fdeUbuntu
Fixed in:6.5.0.1022.23~22.04.1USN-6819-1
Fixed in:6.5.0.1022.26USN-6819-1
linux-image-gcpUbuntu
Fixed in:6.5.0.1022.24~22.04.1USN-6818-1
Fixed in:6.5.0.1022.24USN-6818-1
linux-image-genericUbuntu
Fixed in:6.5.0.41.41USN-6818-1
linux-image-generic-64kUbuntu
Fixed in:6.5.0.41.41USN-6818-1
linux-image-generic-64k-hwe-22.04Ubuntu
Fixed in:6.5.0.41.41~22.04.2USN-6818-4
linux-image-generic-hwe-22.04Ubuntu
Fixed in:6.5.0.41.41~22.04.2USN-6818-4
linux-image-generic-lpaeUbuntu
Fixed in:6.5.0.41.41USN-6818-1
linux-image-kvmUbuntu
Fixed in:6.5.0.41.41USN-6818-1
linux-image-laptop-23.10Ubuntu
Fixed in:6.5.0.1017.20USN-6818-2
linux-image-lowlatencyUbuntu
Fixed in:6.5.0.41.41.1USN-6818-1
linux-image-lowlatency-64kUbuntu
Fixed in:6.5.0.41.41.1USN-6818-1
linux-image-lowlatency-64k-hwe-22.04Ubuntu
Fixed in:6.5.0.41.41.1~22.04.1USN-6818-1
linux-image-lowlatency-hwe-22.04Ubuntu
Fixed in:6.5.0.41.41.1~22.04.1USN-6818-1
linux-image-nvidia-6.5Ubuntu
Fixed in:6.5.0.1021.29USN-6818-3
linux-image-nvidia-64k-6.5Ubuntu
Fixed in:6.5.0.1021.29USN-6818-3
linux-image-nvidia-64k-hwe-22.04Ubuntu
Fixed in:6.5.0.1021.29USN-6818-3
linux-image-nvidia-hwe-22.04Ubuntu
Fixed in:6.5.0.1021.29USN-6818-3
linux-image-oem-22.04Ubuntu
Fixed in:6.5.0.1024.26USN-6819-3
linux-image-oem-22.04aUbuntu
Fixed in:6.5.0.1024.26USN-6819-3
linux-image-oem-22.04bUbuntu
Fixed in:6.5.0.1024.26USN-6819-3
linux-image-oem-22.04cUbuntu
Fixed in:6.5.0.1024.26USN-6819-3
linux-image-oem-22.04dUbuntu
Fixed in:6.5.0.1024.26USN-6819-3
linux-image-oracleUbuntu
Fixed in:6.5.0.1024.24~22.04.1USN-6819-4
Fixed in:6.5.0.1024.26USN-6819-2
linux-image-oracle-64kUbuntu
Fixed in:6.5.0.1024.24~22.04.1USN-6819-4
Fixed in:6.5.0.1024.26USN-6819-2
linux-image-raspiUbuntu
Fixed in:6.5.0.1018.19USN-6818-1
linux-image-raspi-nolpaeUbuntu
Fixed in:6.5.0.1018.19USN-6818-1
linux-image-starfiveUbuntu
Fixed in:6.5.0.1015.16~22.04.1USN-6819-1
Fixed in:6.5.0.1015.17USN-6819-1
linux-image-virtualUbuntu
Fixed in:6.5.0.41.41USN-6818-1
linux-image-virtual-hwe-22.04Ubuntu
Fixed in:6.5.0.41.41~22.04.2USN-6818-4
linux-laptopUbuntu
Fixed in:6.5.0-1017.20USN-6818-2
linux-lowlatencyUbuntu
Fixed in:6.5.0-41.41.1USN-6818-1
linux-lowlatency-hwe-6.5Ubuntu
Fixed in:6.5.0-41.41.1~22.04.1USN-6818-1
linux-nvidia-6.5Ubuntu
Fixed in:6.5.0-1021.22USN-6818-3
linux-oem-6.5Ubuntu
Fixed in:6.5.0-1024.25USN-6819-3
linux-oracleUbuntu
Fixed in:6.5.0-1024.24USN-6819-2
linux-oracle-6.5Ubuntu
Fixed in:6.5.0-1024.24~22.04.1USN-6819-4
linux-raspiUbuntu
Fixed in:6.5.0-1018.21USN-6818-1
linux-starfiveUbuntu
Fixed in:6.5.0-1015.16USN-6819-1
linux-starfive-6.5Ubuntu
Fixed in:6.5.0-1015.16~22.04.1USN-6819-1

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorLocal
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityHigh
IntegrityHigh
AvailabilityHigh

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploit Intelligence

0.24%probability of exploitation in 30 days
15thpercentile

Low risk: more likely to be exploited than 15% of all known CVEs.

References

Related Vulnerabilities

Other CWE-665 vulnerabilities, ordered by exploit likelihood. View all

CVESeverityCVSSEPSSExploitedFix
CVE-2022-0847High7.888%KEVFix
CVE-2022-22719High7.570%-Fix
CVE-2020-28019High7.561%-Fix
CVE-2022-46164Critical9.449%-Fix
CVE-2022-37128Critical9.821%--
CVE-2019-14271Critical9.819%-Fix
Embed a live status badge for CVE-2023-52452
CVE-2023-52452 severity badge

Markdown

[![CVE-2023-52452](https://tridentstack.com/cve/badge/CVE-2023-52452.svg)](https://tridentstack.com/cve/CVE-2023-52452)

HTML

<a href="https://tridentstack.com/cve/CVE-2023-52452"><img src="https://tridentstack.com/cve/badge/CVE-2023-52452.svg" alt="CVE-2023-52452"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2024-11-21.