CVE-2024-56702

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Mark raw_tp arguments with PTR_MAYBE_NULL<br /> <br /> Arguments to a raw tracepoint are tagged as trusted, which carries the<br /> semantics that the pointer will be non-NULL. However, in certain cases,<br /> a raw tracepoint argument may end up being NULL. More context about this<br /> issue is available in [0].<br /> <br /> Thus, there is a discrepancy between the reality, that raw_tp arguments<br /> can actually be NULL, and the verifier&amp;#39;s knowledge, that they are never<br /> NULL, causing explicit NULL checks to be deleted, and accesses to such<br /> pointers potentially crashing the kernel.<br /> <br /> To fix this, mark raw_tp arguments as PTR_MAYBE_NULL, and then special<br /> case the dereference and pointer arithmetic to permit it, and allow<br /> passing them into helpers/kfuncs; these exceptions are made for raw_tp<br /> programs only. Ensure that we don&amp;#39;t do this when ref_obj_id &gt; 0, as in<br /> that case this is an acquired object and doesn&amp;#39;t need such adjustment.<br /> <br /> The reason we do mask_raw_tp_trusted_reg logic is because other will<br /> recheck in places whether the register is a trusted_reg, and then<br /> consider our register as untrusted when detecting the presence of the<br /> PTR_MAYBE_NULL flag.<br /> <br /> To allow safe dereference, we enable PROBE_MEM marking when we see loads<br /> into trusted pointers with PTR_MAYBE_NULL.<br /> <br /> While trusted raw_tp arguments can also be passed into helpers or kfuncs<br /> where such broken assumption may cause issues, a future patch set will<br /> tackle their case separately, as PTR_TO_BTF_ID (without PTR_TRUSTED) can<br /> already be passed into helpers and causes similar problems. Thus, they<br /> are left alone for now.<br /> <br /> It is possible that these checks also permit passing non-raw_tp args<br /> that are trusted PTR_TO_BTF_ID with null marking. In such a case,<br /> allowing dereference when pointer is NULL expands allowed behavior, so<br /> won&amp;#39;t regress existing programs, and the case of passing these into<br /> helpers is the same as above and will be dealt with later.<br /> <br /> Also update the failure case in tp_btf_nullable selftest to capture the<br /> new behavior, as the verifier will no longer cause an error when<br /> directly dereference a raw tracepoint argument marked as __nullable.<br /> <br /> [0]: https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csb