// For flags

CVE-2024-50163

bpf: Make sure internal and UAPI bpf_redirect flags don't overlap

Severity Score

"-"
*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

bpf: Make sure internal and UAPI bpf_redirect flags don't overlap

The bpf_redirect_info is shared between the SKB and XDP redirect paths,
and the two paths use the same numeric flag values in the ri->flags
field (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that
if skb bpf_redirect_neigh() is used with a non-NULL params argument and,
subsequently, an XDP redirect is performed using the same
bpf_redirect_info struct, the XDP path will get confused and end up
crashing, which syzbot managed to trigger.

With the stack-allocated bpf_redirect_info, the structure is no longer
shared between the SKB and XDP paths, so the crash doesn't happen
anymore. However, different code paths using identically-numbered flag
values in the same struct field still seems like a bit of a mess, so
this patch cleans that up by moving the flag definitions together and
redefining the three flags in BPF_F_REDIRECT_INTERNAL to not overlap
with the flags used for XDP. It also adds a BUILD_BUG_ON() check to make
sure the overlap is not re-introduced by mistake.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Asegúrese de que los indicadores bpf_redirect internos y de UAPI no se superpongan El bpf_redirect_info se comparte entre las rutas de redireccionamiento de SKB y XDP, y las dos rutas usan los mismos valores de indicador numérico en el campo ri->flags (específicamente, BPF_F_BROADCAST == BPF_F_NEXTHOP). Esto significa que si se usa skb bpf_redirect_neigh() con un argumento params distinto de NULL y, posteriormente, se realiza una redirección de XDP usando la misma estructura bpf_redirect_info, la ruta de XDP se confundirá y terminará fallando, lo que syzbot logró activar. Con el bpf_redirect_info asignado a la pila, la estructura ya no se comparte entre las rutas de SKB y XDP, por lo que el bloqueo ya no ocurre. Sin embargo, el uso de diferentes rutas de código que utilizan valores de indicadores numerados de manera idéntica en el mismo campo de estructura sigue pareciendo un poco confuso, por lo que este parche soluciona el problema juntando las definiciones de indicadores y redefiniendo los tres indicadores en BPF_F_REDIRECT_INTERNAL para que no se superpongan con los indicadores utilizados para XDP. También agrega una comprobación BUILD_BUG_ON() para asegurarse de que la superposición no se vuelva a introducir por error.

*Credits: N/A
CVSS Scores
Attack Vector
-
Attack Complexity
-
Privileges Required
-
User Interaction
-
Scope
-
Confidentiality
-
Integrity
-
Availability
-
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2024-10-21 CVE Reserved
  • 2024-11-07 CVE Published
  • 2024-11-08 EPSS Updated
  • 2024-11-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.14 < 5.15.170
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 5.15.170"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.14 < 6.1.115
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 6.1.115"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.14 < 6.6.59
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 6.6.59"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.14 < 6.11.6
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 6.11.6"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.14 < 6.12
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 6.12"
en
Affected