CVE-2024-58100 Information

Description

In the Linux kernel the following vulnerability has been resolved:

bpf: check changes_pkt_data property for extension programs

When processing calls to global sub-programs verifier decides whether to invalidate all packet pointers in current state depending on the changes_pkt_data property of the global sub-program.

Because of this an extension program replacing a global sub-program must be compatible with changes_pkt_data property of the sub-program being replaced.

This commit:

• adds changes_pkt_data flag to struct bpf_prog_aux:

  • this flag is set in check_cfg() for main sub-program;
  • in jit_subprogs() for other sub-programs;

• modifies bpf_check_attach_btf_id() to check changes_pkt_data flag;

• moves call to check_attach_btf_id() after the call to check_cfg() because it needs changes_pkt_data flag to be set:

  bpf_check: … …

  • check_attach_btf_id resolve_pseudo_ldimm64 resolve_pseudo_ldimm64 –> bpf_prog_is_offloaded bpf_prog_is_offloaded check_cfg check_cfg + check_attach_btf_id … …

The following fields are set by check_attach_btf_id():

• env->ops
• prog->aux->attach_btf_trace
• prog->aux->attach_func_name
• prog->aux->attach_func_proto
• prog->aux->dst_trampoline
• prog->aux->mod
• prog->aux->saved_dst_attach_type
• prog->aux->saved_dst_prog_type
• prog->expected_attach_type

Neither of these fields are used by resolve_pseudo_ldimm64() or bpf_prog_offload_verifier_prep() (for netronome and netdevsim drivers) so the reordering is safe.

Reference

https://git.kernel.org/stable/c/3846e2bea565ee1c5195dcc625fda9868fb0e3b3 https://git.kernel.org/stable/c/81f6d0530ba031b5f038a091619bf2ff29568852