Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix invalid prog->stats access when update_effective_progs fails Syzkaller triggers an invalid memory access issue following fault injection in update_effective_progs. The issue can be described as follows: __cgroup_bpf_detach update_effective_progs compute_effective_progs bpf_prog_array_alloc <-- fault inject purge_effective_progs /* change to dummy_bpf_prog */ array->items[index] = &dummy_bpf_prog.prog ---softirq start--- __do_softirq ... __cgroup_bpf_run_filter_skb __bpf_prog_run_save_cb bpf_prog_run stats = this_cpu_ptr(prog->stats) /* invalid memory access */ flags = u64_stats_update_begin_irqsave(&stats->syncp) ---softirq end--- static_branch_dec(&cgroup_bpf_enabled_key[atype]) The reason is that fault injection caused update_effective_progs to fail and then changed the original prog into dummy_bpf_prog.prog in purge_effective_progs. Then a softirq came, and accessing the members of dummy_bpf_prog.prog in the softirq triggers invalid mem access. To fix it, skip updating stats when stats is NULL.
Product status
492ecee892c2a4ba6a14903d5d586ff750b7e805 (git) before 539137e3038ce6f953efd72110110f03c14c7d97
492ecee892c2a4ba6a14903d5d586ff750b7e805 (git) before 56905bb70c8b88421709bb4e32fcba617aa37d41
492ecee892c2a4ba6a14903d5d586ff750b7e805 (git) before 2579c356ccd35d06238b176e4b460978186d804b
492ecee892c2a4ba6a14903d5d586ff750b7e805 (git) before 7dc211c1159d991db609bdf4b0fb9033c04adcbc
5.1
Any version before 5.1
6.12.63 (semver)
6.17.13 (semver)
6.18.2 (semver)
6.19-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/539137e3038ce6f953efd72110110f03c14c7d97
git.kernel.org/...c/56905bb70c8b88421709bb4e32fcba617aa37d41
git.kernel.org/...c/2579c356ccd35d06238b176e4b460978186d804b
git.kernel.org/...c/7dc211c1159d991db609bdf4b0fb9033c04adcbc
Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.
