CVE-2024-49850

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos In case of malformed relocation record of kind BPF_CORE_TYPE_ID_LOCAL referencing a non-existing BTF type, function bpf_core_calc_relo_insn would cause a null pointer deference. Fix this by adding a proper check upper in call stack, as malformed relocation records could be passed from user space. Simplest reproducer is a program: r0 = 0 exit With a single relocation record: .insn_off = 0, /* patch first instruction */ .type_id = 100500, /* this type id does not exist */ .access_str_off = 6, /* offset of string "0" */ .kind = BPF_CORE_TYPE_ID_LOCAL, See the link for original reproducer or next commit for a test case.

Reserved 2024-10-21 | Published 2024-10-21 | Updated 2025-05-04 | Assigner Linux

Product status

Default status
unaffected

74753e1462e77349525daf9eb60ea21ed92d3a97 before dc7ce14f00bcd50641f2110b7a32aa6552e0780f
affected

74753e1462e77349525daf9eb60ea21ed92d3a97 before 2288b54b96dcb55bedebcef3572bb8821fc5e708
affected

74753e1462e77349525daf9eb60ea21ed92d3a97 before 584cd3ff792e1edbea20b2a7df55897159b0be3e
affected

74753e1462e77349525daf9eb60ea21ed92d3a97 before e7e9c5b2dda29067332df2a85b0141a92b41f218
affected

74753e1462e77349525daf9eb60ea21ed92d3a97 before 3d2786d65aaa954ebd3fcc033ada433e10da21c4
affected

Default status
affected

5.17
affected

Any version before 5.17
unaffected

6.1.113
unaffected

6.6.54
unaffected

6.10.13
unaffected

6.11.2
unaffected

6.12
unaffected

References

git.kernel.org/...c/dc7ce14f00bcd50641f2110b7a32aa6552e0780f

git.kernel.org/...c/2288b54b96dcb55bedebcef3572bb8821fc5e708

git.kernel.org/...c/584cd3ff792e1edbea20b2a7df55897159b0be3e

git.kernel.org/...c/e7e9c5b2dda29067332df2a85b0141a92b41f218

git.kernel.org/...c/3d2786d65aaa954ebd3fcc033ada433e10da21c4

cve.org (CVE-2024-49850)

nvd.nist.gov (CVE-2024-49850)

Download JSON