Bug 2364098 (CVE-2024-58237) - CVE-2024-58237 kernel: bpf: consider that tail calls invalidate packet pointers
Summary: CVE-2024-58237 kernel: bpf: consider that tail calls invalidate packet pointers
Keywords:
Status: NEW
Alias: CVE-2024-58237
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-05-05 15:01 UTC by OSIDB Bzimport
Modified: 2025-05-06 03:41 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-05-05 15:01:17 UTC 
In the Linux kernel, the following vulnerability has been resolved:

bpf: consider that tail calls invalidate packet pointers

Tail-called programs could execute any of the helpers that invalidate
packet pointers. Hence, conservatively assume that each tail call
invalidates packet pointers.

Making the change in bpf_helper_changes_pkt_data() automatically makes
use of check_cfg() logic that computes 'changes_pkt_data' effect for
global sub-programs, such that the following program could be
rejected:

    int tail_call(struct __sk_buff *sk)
    {
    	bpf_tail_call_static(sk, &jmp_table, 0);
    	return 0;
    }

    SEC("tc")
    int not_safe(struct __sk_buff *sk)
    {
    	int *p = (void *)(long)sk->data;
    	... make p valid ...
    	tail_call(sk);
    	*p = 42; /* this is unsafe */
    	...
    }

The tc_bpf2bpf.c:subprog_tc() needs change: mark it as a function that
can invalidate packet pointers. Otherwise, it can't be freplaced with
tailcall_freplace.c:entry_freplace() that does a tail call.
Comment 1 Avinash Hanwate 2025-05-06 03:37:09 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025050540-CVE-2024-58237-e263@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.