1.6 KiB
CVE-2024-58237
Description
In the Linux kernel, the following vulnerability has been resolved:bpf: consider that tail calls invalidate packet pointersTail-called programs could execute any of the helpers that invalidatepacket pointers. Hence, conservatively assume that each tail callinvalidates packet pointers.Making the change in bpf_helper_changes_pkt_data() automatically makesuse of check_cfg() logic that computes 'changes_pkt_data' effect forglobal sub-programs, such that the following program could berejected: int tail_call(struct __sk_buff *sk) { bpf_tail_call_static(sk, &jmp_table, 0); return 0; } SEC("tc") int not_safe(struct __sk_buff *sk) { int *p = (void *)(long)sk->data; ... make p valid ... tail_call(sk); p = 42; / this is unsafe */ ... }The tc_bpf2bpf.c:subprog_tc() needs change: mark it as a function thatcan invalidate packet pointers. Otherwise, it can't be freplaced withtailcall_freplace.c:entry_freplace() that does a tail call.
POC
Reference
No PoCs from references.