CVE-2024-46754

Summary

In the Linux kernel, the following vulnerability has been resolved:

bpf: Remove tst_run from lwt_seg6local_prog_ops.

The syzbot reported that the lwt_seg6 related BPF ops can be invoked via bpf_test_run() without without entering input_action_end_bpf() first.

Martin KaFai Lau said that self test for BPF_PROG_TYPE_LWT_SEG6LOCAL probably didn't work since it was introduced in commit 04d4b274e2a ("ipv6: sr: Add seg6local action End.BPF"). The reason is that the per-CPU variable seg6_bpf_srh_states::srh is never assigned in the self test case but each BPF function expects it.

Remove test_run for BPF_PROG_TYPE_LWT_SEG6LOCAL.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux004d4b274e2a1a895a0e5dc66158b90a7d463d44 < 9cd15511de7c619bbd0f54bb3f28e6e720ded5d6affected
LinuxLinux004d4b274e2a1a895a0e5dc66158b90a7d463d44 < c13fda93aca118b8e5cd202e339046728ee7dddbaffected
LinuxLinux4.18affected
LinuxLinux0 < 4.18unaffected
LinuxLinux6.10.10 <= 6.10.*unaffected
LinuxLinux6.11 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References