CVE-2024-58100
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: check changes_pkt_data property for extension programs
When processing calls to global sub-programs, verifier decides whether to invalidate all packet pointers in current state depending on the changes_pkt_data property of the global sub-program.
Because of this, an extension program replacing a global sub-program must be compatible with changes_pkt_data property of the sub-program being replaced.
This commit:
adds changes_pkt_data flag to struct bpf_prog_aux:
- this flag is set in check_cfg() for main sub-program;
- in jit_subprogs() for other sub-programs;
modifies bpf_check_attach_btf_id() to check changes_pkt_data flag;
moves call to check_attach_btf_id() after the call to check_cfg(), because it needs changes_pkt_data flag to be set:
bpf_check: … …
- check_attach_btf_id resolve_pseudo_ldimm64 resolve_pseudo_ldimm64 –> bpf_prog_is_offloaded bpf_prog_is_offloaded check_cfg check_cfg + check_attach_btf_id … …
The following fields are set by check_attach_btf_id():
- env->ops
- prog->aux->attach_btf_trace
- prog->aux->attach_func_name
- prog->aux->attach_func_proto
- prog->aux->dst_trampoline
- prog->aux->mod
- prog->aux->saved_dst_attach_type
- prog->aux->saved_dst_prog_type
- prog->expected_attach_type
Neither of these fields are used by resolve_pseudo_ldimm64() or bpf_prog_offload_verifier_prep() (for netronome and netdevsim drivers), so the reordering is safe.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | be8704ff07d2374bcc5c675526f95e70c6459683 < 7197fc4acdf238ec8ad06de5a8235df0c1f9c7d7 | affected |
| Linux | Linux | be8704ff07d2374bcc5c675526f95e70c6459683 < 3846e2bea565ee1c5195dcc625fda9868fb0e3b3 | affected |
| Linux | Linux | be8704ff07d2374bcc5c675526f95e70c6459683 < 81f6d0530ba031b5f038a091619bf2ff29568852 | affected |
| Linux | Linux | 5.6 | affected |
| Linux | Linux | 0 < 5.6 | unaffected |
| Linux | Linux | 6.6.90 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.25 <= 6.12.* | unaffected |
| Linux | Linux | 6.13 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/7197fc4acdf238ec8ad06de5a8235df0c1f9c7d7
- https://git.kernel.org/stable/c/3846e2bea565ee1c5195dcc625fda9868fb0e3b3
- https://git.kernel.org/stable/c/81f6d0530ba031b5f038a091619bf2ff29568852
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.