Security Fix

Issue: bpf_issue_007
CWE: CWE-787
Match Type: EXACT
Affected File: kernel/bpf/hashtab.c

Vulnerability Description

Security Advisory

Vulnerability: OOB write in pcpu_init_value

CWE: CWE-787

Affected Files: kernel/bpf/hashtab.c

Description:
OOB write in pcpu_init_value

An out-of-bounds read occurs when copying element from a
BPF_MAP_TYPE_CGROUP_STORAGE map to another pcpu map with the
same value_size that is not rounded up to 8 bytes.

The issue happens when:

1. A CGROUP_STORAGE map is created with value_size not aligned to
   8 bytes (e.g., 4 bytes)
2. A pcpu map is created with the same value_size (e.g., 4 bytes)
3. Update element in 2 with data in 1

pcpu_init_value assumes that all sources are rounded up to 8 bytes,
and invokes copy_map_value_long to make a data copy, However, the
assumption doesn't stand since there are some cases where the source
may not be rounded up to 8 bytes, e.g., CGROUP_STORAGE, skb->data.
the verifier verifies exactly the size that the source claims, not
the size rounded up to 8 bytes by kernel, an OOB happens when the
source has only 4 bytes whi

Fix Details

• Vulnerable Commit: 7aaa8047eafd
• Reference Fix: 576afddfee8d
• Generated Fix Match: EXACT

Generated by Intent Security Fixer