mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-08-04 08:44:25 +00:00
124 lines
7.2 KiB
JSON
124 lines
7.2 KiB
JSON
{
|
|
"data_version": "4.0",
|
|
"data_type": "CVE",
|
|
"data_format": "MITRE",
|
|
"CVE_data_meta": {
|
|
"ID": "CVE-2024-50063",
|
|
"ASSIGNER": "cve@kernel.org",
|
|
"STATE": "PUBLIC"
|
|
},
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Prevent tail call between progs attached to different hooks\n\nbpf progs can be attached to kernel functions, and the attached functions\ncan take different parameters or return different return values. If\nprog attached to one kernel function tail calls prog attached to another\nkernel function, the ctx access or return value verification could be\nbypassed.\n\nFor example, if prog1 is attached to func1 which takes only 1 parameter\nand prog2 is attached to func2 which takes two parameters. Since verifier\nassumes the bpf ctx passed to prog2 is constructed based on func2's\nprototype, verifier allows prog2 to access the second parameter from\nthe bpf ctx passed to it. The problem is that verifier does not prevent\nprog1 from passing its bpf ctx to prog2 via tail call. In this case,\nthe bpf ctx passed to prog2 is constructed from func1 instead of func2,\nthat is, the assumption for ctx access verification is bypassed.\n\nAnother example, if BPF LSM prog1 is attached to hook file_alloc_security,\nand BPF LSM prog2 is attached to hook bpf_lsm_audit_rule_known. Verifier\nknows the return value rules for these two hooks, e.g. it is legal for\nbpf_lsm_audit_rule_known to return positive number 1, and it is illegal\nfor file_alloc_security to return positive number. So verifier allows\nprog2 to return positive number 1, but does not allow prog1 to return\npositive number. The problem is that verifier does not prevent prog1\nfrom calling prog2 via tail call. In this case, prog2's return value 1\nwill be used as the return value for prog1's hook file_alloc_security.\nThat is, the return value rule is bypassed.\n\nThis patch adds restriction for tail call to prevent such bypasses."
|
|
}
|
|
]
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "n/a"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"vendor_name": "Linux",
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "Linux",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "<",
|
|
"version_name": "f1b9509c2fb0ef4db8d22dac9aef8e856a5d81f6",
|
|
"version_value": "d9a807fb7cbfad4328824186e2e4bee28f72169b"
|
|
},
|
|
{
|
|
"version_value": "not down converted",
|
|
"x_cve_json_5_version_data": {
|
|
"versions": [
|
|
{
|
|
"version": "5.5",
|
|
"status": "affected"
|
|
},
|
|
{
|
|
"version": "0",
|
|
"lessThan": "5.5",
|
|
"status": "unaffected",
|
|
"versionType": "semver"
|
|
},
|
|
{
|
|
"version": "6.1.135",
|
|
"lessThanOrEqual": "6.1.*",
|
|
"status": "unaffected",
|
|
"versionType": "semver"
|
|
},
|
|
{
|
|
"version": "6.6.57",
|
|
"lessThanOrEqual": "6.6.*",
|
|
"status": "unaffected",
|
|
"versionType": "semver"
|
|
},
|
|
{
|
|
"version": "6.11.4",
|
|
"lessThanOrEqual": "6.11.*",
|
|
"status": "unaffected",
|
|
"versionType": "semver"
|
|
},
|
|
{
|
|
"version": "6.12",
|
|
"lessThanOrEqual": "*",
|
|
"status": "unaffected",
|
|
"versionType": "original_commit_for_fix"
|
|
}
|
|
],
|
|
"defaultStatus": "affected"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/d9a807fb7cbfad4328824186e2e4bee28f72169b",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/d9a807fb7cbfad4328824186e2e4bee28f72169b"
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/5d5e3b4cbe8ee16b7bf96fd73a421c92a9da3ca1",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/5d5e3b4cbe8ee16b7bf96fd73a421c92a9da3ca1"
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/88c2a10e6c176c2860cd0659f4c0e9d20b3f64d1",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/88c2a10e6c176c2860cd0659f4c0e9d20b3f64d1"
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/28ead3eaabc16ecc907cfb71876da028080f6356",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/28ead3eaabc16ecc907cfb71876da028080f6356"
|
|
}
|
|
]
|
|
},
|
|
"generator": {
|
|
"engine": "bippy-1.1.0"
|
|
}
|
|
} |