// For flags

CVE-2024-50162

bpf: devmap: provide rxq after redirect

Severity Score

"-"
*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

bpf: devmap: provide rxq after redirect

rxq contains a pointer to the device from where
the redirect happened. Currently, the BPF program
that was executed after a redirect via BPF_MAP_TYPE_DEVMAP*
does not have it set.

This is particularly bad since accessing ingress_ifindex, e.g.

SEC("xdp")
int prog(struct xdp_md *pkt)
{
return bpf_redirect_map(&dev_redirect_map, 0, 0);
}

SEC("xdp/devmap")
int prog_after_redirect(struct xdp_md *pkt)
{
bpf_printk("ifindex %i", pkt->ingress_ifindex);
return XDP_PASS;
}

depends on access to rxq, so a NULL pointer gets dereferenced:

<1>[ 574.475170] BUG: kernel NULL pointer dereference, address: 0000000000000000
<1>[ 574.475188] #PF: supervisor read access in kernel mode
<1>[ 574.475194] #PF: error_code(0x0000) - not-present page
<6>[ 574.475199] PGD 0 P4D 0
<4>[ 574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
<4>[ 574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 Not tainted 6.11.0-rc5-reduced-00859-g780801200300 #23
<4>[ 574.475226] Hardware name: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 03/14/2023
<4>[ 574.475231] Workqueue: mld mld_ifc_work
<4>[ 574.475247] RIP: 0010:bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c
<4>[ 574.475257] Code: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 <48> 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b
<4>[ 574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206
<4>[ 574.475269] RAX: ffffa62440280cd8 RBX: 0000000000000001 RCX: 0000000000000000
<4>[ 574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0
<4>[ 574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001
<4>[ 574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000
<4>[ 574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000
<4>[ 574.475289] FS: 0000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000
<4>[ 574.475294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4>[ 574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0
<4>[ 574.475303] PKRU: 55555554
<4>[ 574.475306] Call Trace:
<4>[ 574.475313] <IRQ>
<4>[ 574.475318] ? __die+0x23/0x70
<4>[ 574.475329] ? page_fault_oops+0x180/0x4c0
<4>[ 574.475339] ? skb_pp_cow_data+0x34c/0x490
<4>[ 574.475346] ? kmem_cache_free+0x257/0x280
<4>[ 574.475357] ? exc_page_fault+0x67/0x150
<4>[ 574.475368] ? asm_exc_page_fault+0x26/0x30
<4>[ 574.475381] ? bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c
<4>[ 574.475386] bq_xmit_all+0x158/0x420
<4>[ 574.475397] __dev_flush+0x30/0x90
<4>[ 574.475407] veth_poll+0x216/0x250 [veth]
<4>[ 574.475421] __napi_poll+0x28/0x1c0
<4>[ 574.475430] net_rx_action+0x32d/0x3a0
<4>[ 574.475441] handle_softirqs+0xcb/0x2c0
<4>[ 574.475451] do_softirq+0x40/0x60
<4>[ 574.475458] </IRQ>
<4>[ 574.475461] <TASK>
<4>[ 574.475464] __local_bh_enable_ip+0x66/0x70
<4>[ 574.475471] __dev_queue_xmit+0x268/0xe40
<4>[ 574.475480] ? selinux_ip_postroute+0x213/0x420
<4>[ 574.475491] ? alloc_skb_with_frags+0x4a/0x1d0
<4>[ 574.475502] ip6_finish_output2+0x2be/0x640
<4>[ 574.475512] ? nf_hook_slow+0x42/0xf0
<4>[ 574.475521] ip6_finish_output+0x194/0x300
<4>[ 574.475529] ? __pfx_ip6_finish_output+0x10/0x10
<4>[ 574.475538] mld_sendpack+0x17c/0x240
<4>[ 574.475548] mld_ifc_work+0x192/0x410
<4>[ 574.475557] process_one_work+0x15d/0x380
<4>[ 574.475566] worker_thread+0x29d/0x3a0
<4>[ 574.475573] ? __pfx_worker_thread+0x10/0x10
<4>[ 574.475580] ? __pfx_worker_thread+0x10/0x10
<4>[ 574.475587] kthread+0xcd/0x100
<4>[ 574.475597] ? __pfx_kthread+0x10/0x10
<4>[ 574.475606] ret_from_fork+0x31/0x50
<4>[ 574.475615] ? __pfx_kthread+0x10/0x10
<4>[ 574.475623] ret_from_fork_asm+0x1a/0x
---truncated---

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: devmap: proporcionar rxq después de la redirección rxq contiene un puntero al dispositivo desde donde se produjo la redirección. Actualmente, el programa BPF que se ejecutó después de una redirección a través de BPF_MAP_TYPE_DEVMAP* no lo tiene configurado. Esto es particularmente malo ya que se accede a ingress_ifindex, p. ej. SEC("xdp") int prog(struct xdp_md *pkt) { return bpf_redirect_map(&amp;dev_redirect_map, 0, 0); } SEC("xdp/devmap") int prog_after_redirect(struct xdp_md *pkt) { bpf_printk("ifindex %i", pkt-&gt;ingress_ifindex); return XDP_PASS; } depende del acceso a rxq, por lo que un puntero NULL se desreferencia: &lt;1&gt;[ 574.475170] ERROR: desreferencia de puntero NULL del núcleo, dirección: 0000000000000000 &lt;1&gt;[ 574.475188] #PF: acceso de lectura del supervisor en modo núcleo &lt;1&gt;[ 574.475194] #PF: error_code(0x0000) - página no presente &lt;6&gt;[ 574.475199] PGD 0 P4D 0 &lt;4&gt;[ 574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI &lt;4&gt;[ 574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 No contaminado 6.11.0-rc5-reduced-00859-g780801200300 #23 &lt;4&gt;[ 574.475226] Nombre del hardware: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 14/03/2023 &lt;4&gt;[ 574.475231] Cola de trabajo: mld mld_ifc_work &lt;4&gt;[ 574.475247] RIP: 0010:bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c &lt;4&gt;[ 574.475257] Código: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 &lt;48&gt; 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b &lt;4&gt;[ 574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206 &lt;4&gt;[ 574.475269] RAX: ffffa62440280cd8 RBX: 00000000000000001 RCX: 0000000000000000 &lt;4&gt;[ 574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0 &lt;4&gt;[ 574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001 &lt;4&gt;[ 574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000 &lt;4&gt;[ 574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000 &lt;4&gt;[ 574.475289] FS: 000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000 &lt;4&gt;[ 574.475294] CS: 0010 DS: 0000 ES: 0000 CR0: 000000080050033 &lt;4&gt;[ 574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0 &lt;4&gt;[ 574.475303] PKRU: 55555554 &lt;4&gt;[ 574.475306] Rastreo de llamadas: &lt;4&gt;[ 574.475313] &lt;4&gt;[ 574.475318] ? __die+0x23/0x70 &lt;4&gt;[ 574.475329] ? page_fault_oops+0x180/0x4c0 &lt;4&gt;[ 574.475339] ? asm_exc_page_fault+0x26/0x30 &lt;4&gt;[ 574.475381] ? bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c &lt;4&gt;[ 574.475386] bq_xmit_all+0x158/0x420 &lt;4&gt;[ 574.475397] __dev_flush+0x30/0x90 &lt;4&gt;[ 574.475407] veth_poll+0x216/0x250 [veth] &lt;4&gt;[ 574.475421] __napi_poll+0x28/0x1c0 &lt;4&gt;[ 574.475430] net_rx_action+0x32d/0x3a0 &lt;4&gt;[ 574.475441] selinux_ip_postroute+0x213/0x420 &lt;4&gt;[ 574.475491] ? nf_hook_slow+0x42/0xf0 &lt;4&gt;[ 574.475521] ip6_finish_output+0x194/0x300 &lt;4&gt;[ 574.475529] ? __pfx_ip6_finish_output+0x10/0x10 &lt;4&gt;[ 574.475538] mld_sendpack+0x17c/0x240 &lt;4&gt;[ 574.475548] mld_ifc_work+0x192/0x410 &lt;4&gt;[ 574.475557] proceso_uno_trabajo+0x15d/0x380 &lt;4&gt;[ 574.475566] subproceso_trabajador+0x29d/0x3a0 &lt;4&gt;[ 574.475573] ? __pfx_worker_thread+0x10/0x10 &lt;4&gt;[ 574.475580] ? __pfx_worker_thread+0x10/0x10 &lt;4&gt;[ 574.475587] kthread+0xcd/0x100 &lt;4&gt;[ 574.475597] ? __pfx_kthread+0x10/0x10 &lt;4&gt;[ 574.475606] ret_from_fork+0x31/0x50 &lt;4&gt;[ 574.475615] ? __pfx_kthread+0x10/0x10 &lt;4&gt;[ 574.475623] ret_from_fork_asm+0x1a/0x ---truncado---

*Credits: N/A
CVSS Scores
Attack Vector
-
Attack Complexity
-
Privileges Required
-
User Interaction
-
Scope
-
Confidentiality
-
Integrity
-
Availability
-
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2024-10-21 CVE Reserved
  • 2024-11-07 CVE Published
  • 2024-11-08 EPSS Updated
  • 2024-11-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 5.14 < 5.15.170
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 5.15.170"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 5.14 < 6.1.115
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 6.1.115"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 5.14 < 6.6.59
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 6.6.59"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 5.14 < 6.11.6
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 6.11.6"
en
Affected
Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
 >= 5.14 < 6.12
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 6.12"
en
Affected