CVE-2025-38502 Information

Description

In the Linux kernel the following vulnerability has been resolved:

bpf: Fix oob access in cgroup local storage

Lonial reported that an out-of-bounds access in cgroup local storage can be crafted via tail calls. Given two programs each utilizing a cgroup local storage with a different value size and one program doing a tail call into the other. The verifier will validate each of the indivial programs just fine. However in the runtime context the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the BPF program as well as any cgroup local storage flavor the program uses. Helpers such as bpf_get_local_storage() pick this up from the runtime context:

ctx = container_of(current->bpf_ctx struct bpf_cg_run_ctx run_ctx); storage = ctx->prog_item->cgroup_storage[stype];

if (stype == BPF_CGROUP_STORAGE_SHARED) ptr = &READ_ONCE(storage->buf)->data[0]; else ptr = this_cpu_ptr(storage->percpu_buf);

For the second program which was called from the originally attached one this means bpf_get_local_storage() will pick up the former program’s map not its own. With mismatching sizes this can result in an unintended out-of-bounds access.

To fix this issue we need to extend bpf_map_owner with an array of storage_cookie[] to match on i) the exact maps from the original program if the second program was using bpf_get_local_storage() or ii) allow the tail call combination if the second program was not using any of the cgroup local storage maps.

Reference

https://git.kernel.org/stable/c/19341d5c59e8c7e8528e40f8663e99d67810473c https://git.kernel.org/stable/c/abad3d0bad72a52137e0c350c59542d75ae4f513

Related CNNVD

CNNVD-202508-1920 (Published: 2025-08-16)