CVE-2024-50163

bpf: Make sure internal and UAPI bpf_redirect flags don't overlap

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

bpf: Make sure internal and UAPI bpf_redirect flags don't overlap

The bpf_redirect_info is shared between the SKB and XDP redirect paths,
and the two paths use the same numeric flag values in the ri->flags
field (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that
if skb bpf_redirect_neigh() is used with a non-NULL params argument and,
subsequently, an XDP redirect is performed using the same
bpf_redirect_info struct, the XDP path will get confused and end up
crashing, which syzbot managed to trigger.

With the stack-allocated bpf_redirect_info, the structure is no longer
shared between the SKB and XDP paths, so the crash doesn't happen
anymore. However, different code paths using identically-numbered flag
values in the same struct field still seems like a bit of a mess, so
this patch cleans that up by moving the flag definitions together and
redefining the three flags in BPF_F_REDIRECT_INTERNAL to not overlap
with the flags used for XDP. It also adds a BUILD_BUG_ON() check to make
sure the overlap is not re-introduced by mistake.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Asegúrese de que los indicadores bpf_redirect internos y de UAPI no se superpongan El bpf_redirect_info se comparte entre las rutas de redireccionamiento de SKB y XDP, y las dos rutas usan los mismos valores de indicador numérico en el campo ri->flags (específicamente, BPF_F_BROADCAST == BPF_F_NEXTHOP). Esto significa que si se usa skb bpf_redirect_neigh() con un argumento params distinto de NULL y, posteriormente, se realiza una redirección de XDP usando la misma estructura bpf_redirect_info, la ruta de XDP se confundirá y terminará fallando, lo que syzbot logró activar. Con el bpf_redirect_info asignado a la pila, la estructura ya no se comparte entre las rutas de SKB y XDP, por lo que el bloqueo ya no ocurre. Sin embargo, el uso de diferentes rutas de código que utilizan valores de indicadores numerados de manera idéntica en el mismo campo de estructura sigue pareciendo un poco confuso, por lo que este parche soluciona el problema juntando las definiciones de indicadores y redefiniendo los tres indicadores en BPF_F_REDIRECT_INTERNAL para que no se superpongan con los indicadores utilizados para XDP. También agrega una comprobación BUILD_BUG_ON() para asegurarse de que la superposición no se vuelva a introducir por error.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-10-21 CVE Reserved
2024-11-07 CVE Published
2024-11-07 CVE Updated
---------- EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (6)

URL	Tag	Source
https://git.kernel.org/stable/c/e624d4ed4aa8cc3c69d1359b0aaea539203ed266	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/4e1e428533845d48828bd3875c0e92e8565b9962	2024-11-01
https://git.kernel.org/stable/c/314dbee9fe4f5cee36435465de52c988d7caa466	2024-11-01
https://git.kernel.org/stable/c/0fca5ed4be8e8bfbfb9bd97845af596bab7192d3	2024-11-01
https://git.kernel.org/stable/c/cec288e05ceac9a0d3a3a1fd279534b11844c826	2024-11-01
https://git.kernel.org/stable/c/09d88791c7cd888d5195c84733caf9183dcfbd16	2024-10-01

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.14 < 5.15.170 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 5.15.170"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.14 < 6.1.115 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 6.1.115"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.14 < 6.6.59 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 6.6.59"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.14 < 6.11.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 6.11.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.14 < 6.12-rc4 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 6.12-rc4"		en		Affected