CVE-2024-50161
bpf: Check the remaining info_cnt before repeating btf fields
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
bpf: Check the remaining info_cnt before repeating btf fields
When trying to repeat the btf fields for array of nested struct, it
doesn't check the remaining info_cnt. The following splat will be
reported when the value of ret * nelems is greater than BTF_FIELDS_MAX:
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in ../kernel/bpf/btf.c:3951:49
index 11 is out of range for type 'btf_field_info [11]'
CPU: 6 UID: 0 PID: 411 Comm: test_progs ...... 6.11.0-rc4+ #1
Tainted: [O]=OOT_MODULE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ...
Call Trace:
<TASK>
dump_stack_lvl+0x57/0x70
dump_stack+0x10/0x20
ubsan_epilogue+0x9/0x40
__ubsan_handle_out_of_bounds+0x6f/0x80
? kallsyms_lookup_name+0x48/0xb0
btf_parse_fields+0x992/0xce0
map_create+0x591/0x770
__sys_bpf+0x229/0x2410
__x64_sys_bpf+0x1f/0x30
x64_sys_call+0x199/0x9f0
do_syscall_64+0x3b/0xc0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7fea56f2cc5d
......
</TASK>
---[ end trace ]---
Fix it by checking the remaining info_cnt in btf_repeat_fields() before
repeating the btf fields.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Verificar el info_cnt restante antes de repetir los campos btf Al intentar repetir los campos btf para una matriz de estructuras anidadas, no verifica el info_cnt restante. Se informará el siguiente error cuando el valor de ret * nelems sea mayor que BTF_FIELDS_MAX: ------------[ cortar aquí ]------------ UBSAN: array-index-out-of-bounds en ../kernel/bpf/btf.c:3951:49 el índice 11 está fuera de rango para el tipo 'btf_field_info [11]' CPU: 6 UID: 0 PID: 411 Comm: test_progs ...... 6.11.0-rc4+ #1 Tainted: [O]=OOT_MODULE Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ... Seguimiento de llamadas: dump_stack_lvl+0x57/0x70 dump_stack+0x10/0x20 ubsan_epilogue+0x9/0x40 __ubsan_handle_fuera_de_límites+0x6f/0x80 ? kallsyms_lookup_name+0x48/0xb0 btf_parse_fields+0x992/0xce0 map_create+0x591/0x770 __sys_bpf+0x229/0x2410 __x64_sys_bpf+0x1f/0x30 x64_sys_call+0x199/0x9f0 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fea56f2cc5d ...... ---[ fin del seguimiento ]--- Arréglelo comprobando el info_cnt restante en btf_repeat_fields() antes de repetir los campos btf.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2024-10-21 CVE Reserved
- 2024-11-07 CVE Published
- 2024-11-07 CVE Updated
- ---------- EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://git.kernel.org/stable/c/64e8ee814819f21beeeda00d4119221443d77992 | Vuln. Introduced |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://git.kernel.org/stable/c/6f957d972feee9b385ea3ae6530310a84e55ba71 | 2024-11-01 | |
https://git.kernel.org/stable/c/797d73ee232dd1833dec4824bc53a22032e97c1c | 2024-10-09 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.11 < 6.11.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.11 < 6.11.6" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.11 < 6.12-rc4 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.11 < 6.12-rc4" | en |
Affected
|