CVE-2024-58237

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: consider that tail calls invalidate packet pointers Tail-called programs could execute any of the helpers that invalidate packet pointers. Hence, conservatively assume that each tail call invalidates packet pointers. Making the change in bpf_helper_changes_pkt_data() automatically makes use of check_cfg() logic that computes 'changes_pkt_data' effect for global sub-programs, such that the following program could be rejected: int tail_call(struct __sk_buff *sk) { bpf_tail_call_static(sk, &jmp_table, 0); return 0; } SEC("tc") int not_safe(struct __sk_buff *sk) { int *p = (void *)(long)sk->data; ... make p valid ... tail_call(sk); *p = 42; /* this is unsafe */ ... } The tc_bpf2bpf.c:subprog_tc() needs change: mark it as a function that can invalidate packet pointers. Otherwise, it can't be freplaced with tailcall_freplace.c:entry_freplace() that does a tail call.

Reserved 2025-04-16 | Published 2025-05-05 | Updated 2025-05-09 | Assigner Linux

Product status

Default status
unaffected

51c39bb1d5d105a02e29aa7960f0a395086e6342 before f1692ee23dcaaddc24ba407b269707ee5df1301f
affected

51c39bb1d5d105a02e29aa7960f0a395086e6342 before 1c2244437f9ad3dd91215f920401a14f2542dbfc
affected

51c39bb1d5d105a02e29aa7960f0a395086e6342 before 1a4607ffba35bf2a630aab299e34dd3f6e658d70
affected

Default status
affected

5.6
affected

Any version before 5.6
unaffected

6.6.90
unaffected

6.12.9
unaffected

6.13
unaffected

References

git.kernel.org/...c/f1692ee23dcaaddc24ba407b269707ee5df1301f

git.kernel.org/...c/1c2244437f9ad3dd91215f920401a14f2542dbfc

git.kernel.org/...c/1a4607ffba35bf2a630aab299e34dd3f6e658d70

cve.org (CVE-2024-58237)

nvd.nist.gov (CVE-2024-58237)

Download JSON