CVE-2023-52676

{"id": "CVE-2023-52676", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-05-17T15:15:18.633", "references": [{"url": "https://git.kernel.org/stable/c/1d38a9ee81570c4bd61f557832dead4d6f816760", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ad140fc856f0b1d5e2215bcb6d0cc247a86805a2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e5ad9ecb84405637df82732ee02ad741a5f782a6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1d38a9ee81570c4bd61f557832dead4d6f816760", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/ad140fc856f0b1d5e2215bcb6d0cc247a86805a2", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/e5ad9ecb84405637df82732ee02ad741a5f782a6", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-190"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Guard stack limits against 32bit overflow\n\nThis patch promotes the arithmetic around checking stack bounds to be\ndone in the 64-bit domain, instead of the current 32bit. The arithmetic\nimplies adding together a 64-bit register with a int offset. The\nregister was checked to be below 1<<29 when it was variable, but not\nwhen it was fixed. The offset either comes from an instruction (in which\ncase it is 16 bit), from another register (in which case the caller\nchecked it to be below 1<<29 [1]), or from the size of an argument to a\nkfunc (in which case it can be a u32 [2]). Between the register being\ninconsistently checked to be below 1<<29, and the offset being up to an\nu32, it appears that we were open to overflowing the `int`s which were\ncurrently used for arithmetic.\n\n[1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498\n[2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Proteger los l\u00edmites de la pila contra el desbordamiento de 32 bits. Este parche promueve que la aritm\u00e9tica en torno a la verificaci\u00f3n de los l\u00edmites de la pila se realice en el dominio de 64 bits, en lugar del actual de 32 bits. La aritm\u00e9tica implica sumar un registro de 64 bits con un desplazamiento int. Se comprob\u00f3 que el registro estaba por debajo de 1&lt;&lt;29 cuando era variable, pero no cuando estaba arreglado. El desplazamiento proviene de una instrucci\u00f3n (en cuyo caso es de 16 bits), de otro registro (en cuyo caso la persona que llama comprob\u00f3 que estaba por debajo de 1&lt;&lt;29 [1]) o del tama\u00f1o de un argumento para kfunc. (en cuyo caso puede ser un u32 [2]). Entre que el registro se verificaba de manera inconsistente para que estuviera por debajo de 1&lt;&lt;29 y el desplazamiento era de hasta u32, parece que est\u00e1bamos abiertos a desbordar los \"int\" que se usaban actualmente para la aritm\u00e9tica. [1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498 [2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e 50f6cd80eb10235fe3e9/n\u00facleo /bpf/verifier.c#L11904"}], "lastModified": "2025-09-25T16:23:01.237", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2EEAEE35-CD34-43B5-8F63-EA8A43513930", "versionEndExcluding": "5.11", "versionStartIncluding": "5.10.33"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F024C7CE-4C5E-46AF-AEA5-D041B2AA3B2B", "versionEndExcluding": "6.6.14", "versionStartIncluding": "5.11.17"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7229C448-E0C9-488B-8939-36BA5254065E", "versionEndExcluding": "6.7.2", "versionStartIncluding": "6.7"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}