Bug 2426082 (CVE-2023-54181) - CVE-2023-54181 kernel: bpf: Fix issue in verifying allow_ptr_leaks
Summary: CVE-2023-54181 kernel: bpf: Fix issue in verifying allow_ptr_leaks
Keywords:
Status: NEW
Alias: CVE-2023-54181
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-30 13:07 UTC by OSIDB Bzimport
Modified: 2025-12-31 10:37 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-12-30 13:07:37 UTC 
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix issue in verifying allow_ptr_leaks

After we converted the capabilities of our networking-bpf program from
cap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program
failed to start. Because it failed the bpf verifier, and the error log
is "R3 pointer comparison prohibited".

A simple reproducer as follows,

SEC("cls-ingress")
int ingress(struct __sk_buff *skb)
{
	struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr);

	if ((long)(iph + 1) > (long)skb->data_end)
		return TC_ACT_STOLEN;
	return TC_ACT_OK;
}

Per discussion with Yonghong and Alexei [1], comparison of two packet
pointers is not a pointer leak. This patch fixes it.

Our local kernel is 6.1.y and we expect this fix to be backported to
6.1.y, so stable is CCed.

[1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@mail.gmail.com/
Comment 1 Alexander B 2025-12-31 10:34:33 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025123024-CVE-2023-54181-ef94@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.