We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-58098

bpf: track changes_pkt_data property for global functions



Description

In the Linux kernel, the following vulnerability has been resolved: bpf: track changes_pkt_data property for global functions When processing calls to certain helpers, verifier invalidates all packet pointers in a current state. For example, consider the following program: __attribute__((__noinline__)) long skb_pull_data(struct __sk_buff *sk, __u32 len) { return bpf_skb_pull_data(sk, len); } SEC("tc") int test_invalidate_checks(struct __sk_buff *sk) { int *p = (void *)(long)sk->data; if ((void *)(p + 1) > (void *)(long)sk->data_end) return TCX_DROP; skb_pull_data(sk, 0); *p = 42; return TCX_PASS; } After a call to bpf_skb_pull_data() the pointer 'p' can't be used safely. See function filter.c:bpf_helper_changes_pkt_data() for a list of such helpers. At the moment verifier invalidates packet pointers when processing helper function calls, and does not traverse global sub-programs when processing calls to global sub-programs. This means that calls to helpers done from global sub-programs do not invalidate pointers in the caller state. E.g. the program above is unsafe, but is not rejected by verifier. This commit fixes the omission by computing field bpf_subprog_info->changes_pkt_data for each sub-program before main verification pass. changes_pkt_data should be set if: - subprogram calls helper for which bpf_helper_changes_pkt_data returns true; - subprogram calls a global function, for which bpf_subprog_info->changes_pkt_data should be set. The verifier.c:check_cfg() pass is modified to compute this information. The commit relies on depth first instruction traversal done by check_cfg() and absence of recursive function calls: - check_cfg() would eventually visit every call to subprogram S in a state when S is fully explored; - when S is fully explored: - every direct helper call within S is explored (and thus changes_pkt_data is set if needed); - every call to subprogram S1 called by S was visited with S1 fully explored (and thus S inherits changes_pkt_data from S1). The downside of such approach is that dead code elimination is not taken into account: if a helper call inside global function is dead because of current configuration, verifier would conservatively assume that the call occurs for the purpose of the changes_pkt_data computation.

Reserved 2025-03-06 | Published 2025-05-05 | Updated 2025-05-09 | Assigner Linux

Product status

Default status
unaffected

51c39bb1d5d105a02e29aa7960f0a395086e6342 before 79751e9227a5910c0e5a2c7186877d91821d957d
affected

51c39bb1d5d105a02e29aa7960f0a395086e6342 before 1d572c60488b52882b719ed273767ee3b280413d
affected

51c39bb1d5d105a02e29aa7960f0a395086e6342 before 51081a3f25c742da5a659d7fc6fd77ebfdd555be
affected

Default status
affected

5.6
affected

Any version before 5.6
unaffected

6.6.90
unaffected

6.12.25
unaffected

6.13
unaffected

References

git.kernel.org/...c/79751e9227a5910c0e5a2c7186877d91821d957d

git.kernel.org/...c/1d572c60488b52882b719ed273767ee3b280413d

git.kernel.org/...c/51081a3f25c742da5a659d7fc6fd77ebfdd555be

cve.org (CVE-2024-58098)

nvd.nist.gov (CVE-2024-58098)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2024-58098

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.