{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-04T00:34:36.690","vulnerabilities":[{"cve":{"id":"CVE-2023-52452","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-02-22T17:15:08.830","lastModified":"2024-11-21T08:39:48.050","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix accesses to uninit stack slots\n\nPrivileged programs are supposed to be able to read uninitialized stack\nmemory (ever since 6715df8d5) but, before this patch, these accesses\nwere permitted inconsistently. In particular, accesses were permitted\nabove state->allocated_stack, but not below it. In other words, if the\nstack was already \"large enough\", the access was permitted, but\notherwise the access was rejected instead of being allowed to \"grow the\nstack\". This undesired rejection was happening in two places:\n- in check_stack_slot_within_bounds()\n- in check_stack_range_initialized()\nThis patch arranges for these accesses to be permitted. A bunch of tests\nthat were relying on the old rejection had to change; all of them were\nchanged to add also run unprivileged, in which case the old behavior\npersists. One tests couldn't be updated - global_func16 - because it\ncan't run unprivileged for other reasons.\n\nThis patch also fixes the tracking of the stack size for variable-offset\nreads. This second fix is bundled in the same commit as the first one\nbecause they're inter-related. Before this patch, writes to the stack\nusing registers containing a variable offset (as opposed to registers\nwith fixed, known values) were not properly contributing to the\nfunction's needed stack size. As a result, it was possible for a program\nto verify, but then to attempt to read out-of-bounds data at runtime\nbecause a too small stack had been allocated for it.\n\nEach function tracks the size of the stack it needs in\nbpf_subprog_info.stack_depth, which is maintained by\nupdate_stack_depth(). For regular memory accesses, check_mem_access()\nwas calling update_state_depth() but it was passing in only the fixed\npart of the offset register, ignoring the variable offset. This was\nincorrect; the minimum possible value of that register should be used\ninstead.\n\nThis tracking is now fixed by centralizing the tracking of stack size in\ngrow_stack_state(), and by lifting the calls to grow_stack_state() to\ncheck_stack_access_within_bounds() as suggested by Andrii. The code is\nnow simpler and more convincingly tracks the correct maximum stack size.\ncheck_stack_range_initialized() can now rely on enough stack having been\nallocated for the access; this helps with the fix for the first issue.\n\nA few tests were changed to also check the stack depth computation. The\none that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: corrige los accesos a las ranuras de la pila uninit. Se supone que los programas privilegiados pueden leer la memoria de la pila no inicializada (desde 6715df8d5) pero, antes de este parche, estos accesos se permitían de forma inconsistente. En particular, se permitían accesos por encima de state->allocated_stack, pero no por debajo de él. En otras palabras, si la pila ya era \"lo suficientemente grande\", se permitía el acceso, pero en caso contrario se rechazaba el acceso en lugar de permitir \"hacer crecer la pila\". Este rechazo no deseado ocurría en dos lugares: - en check_stack_slot_within_bounds() - en check_stack_range_initialized() Este parche dispone que estos accesos sean permitidos. Un montón de pruebas que dependían del antiguo rechazo tuvieron que cambiar; todos ellos se cambiaron para agregar que también se ejecutan sin privilegios, en cuyo caso el comportamiento anterior persiste. Una prueba no se pudo actualizar (global_func16) porque no se puede ejecutar sin privilegios por otros motivos. Este parche también corrige el seguimiento del tamaño de la pila para lecturas con desplazamiento variable. Esta segunda solución se incluye en la misma confirmación que la primera porque están interrelacionadas. Antes de este parche, las escrituras en la pila usando registros que contenían un desplazamiento variable (a diferencia de registros con valores fijos y conocidos) no contribuían adecuadamente al tamaño de pila necesario de la función. Como resultado, era posible que un programa verificara, pero luego intentara leer datos fuera de límites en tiempo de ejecución porque se le había asignado una pila demasiado pequeña. Cada función rastrea el tamaño de la pila que necesita en bpf_subprog_info.stack_ Depth, que es mantenido por update_stack_ Depth(). Para accesos regulares a la memoria, check_mem_access() estaba llamando a update_state_ Depth() pero pasaba solo la parte fija del registro de compensación, ignorando la variable compensación. Esto era incorrecto; en su lugar se debe utilizar el valor mínimo posible de ese registro. Este seguimiento ahora se soluciona centralizando el seguimiento del tamaño de la pila en grow_stack_state() y elevando las llamadas a grow_stack_state() a check_stack_access_within_bounds() como lo sugiere Andrii. El código ahora es más simple y rastrea de manera más convincente el tamaño máximo de pila correcto. check_stack_range_initialized() ahora puede confiar en que se haya asignado suficiente pila para el acceso; esto ayuda con la solución del primer problema. Se cambiaron algunas pruebas para verificar también el cálculo de la profundidad de la pila. El que falla sin este parche es verifier_var_off:stack_write_priv_vs_unpriv."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-665"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"6.6.14","matchCriteriaId":"5506E74E-8B6D-44EB-8689-EA6ED09F7FFB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7.0","versionEndExcluding":"6.7.2","matchCriteriaId":"0EA3778C-730B-464C-8023-18CA6AC0B807"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}}]}