Bug 2320206 (CVE-2024-49850) - CVE-2024-49850 kernel: bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos
Summary: CVE-2024-49850 kernel: bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL...
Keywords:
Status: NEW
Alias: CVE-2024-49850
Product: Security Response
Classification: Other
Component: vulnerability-draft
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2320317
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-10-21 13:02 UTC by OSIDB Bzimport
Modified: 2024-10-21 14:14 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-10-21 13:02:09 UTC 
In the Linux kernel, the following vulnerability has been resolved:

bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos

In case of malformed relocation record of kind BPF_CORE_TYPE_ID_LOCAL
referencing a non-existing BTF type, function bpf_core_calc_relo_insn
would cause a null pointer deference.

Fix this by adding a proper check upper in call stack, as malformed
relocation records could be passed from user space.

Simplest reproducer is a program:

    r0 = 0
    exit

With a single relocation record:

    .insn_off = 0,          /* patch first instruction */
    .type_id = 100500,      /* this type id does not exist */
    .access_str_off = 6,    /* offset of string "0" */
    .kind = BPF_CORE_TYPE_ID_LOCAL,

See the link for original reproducer or next commit for a test case.
Comment 1 Robb Gatica 2024-10-21 14:14:02 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024102151-CVE-2024-49850-4cc6@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.