CVE-2024-50163
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Make sure internal and UAPI bpf_redirect flags don't overlap
The bpf_redirect_info is shared between the SKB and XDP redirect paths,
and the two paths use the same numeric flag values in the ri->flags
field (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that
if skb bpf_redirect_neigh() is used with a non-NULL params argument and,
subsequently, an XDP redirect is performed using the same
bpf_redirect_info struct, the XDP path will get confused and end up
crashing, which syzbot managed to trigger.
With the stack-allocated bpf_redirect_info, the structure is no longer
shared between the SKB and XDP paths, so the crash doesn't happen
anymore. However, different code paths using identically-numbered flag
values in the same struct field still seems like a bit of a mess, so
this patch cleans that up by moving the flag definitions together and
redefining the three flags in BPF_F_REDIRECT_INTERNAL to not overlap
with the flags used for XDP. It also adds a BUILD_BUG_ON() check to make
sure the overlap is not re-introduced by mistake.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e624d4ed4aa8cc3c69d1359b0aaea539203ed266 Version: e624d4ed4aa8cc3c69d1359b0aaea539203ed266 Version: e624d4ed4aa8cc3c69d1359b0aaea539203ed266 Version: e624d4ed4aa8cc3c69d1359b0aaea539203ed266 Version: e624d4ed4aa8cc3c69d1359b0aaea539203ed266 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "include/uapi/linux/bpf.h", "net/core/filter.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4e1e428533845d48828bd3875c0e92e8565b9962", "status": "affected", "version": "e624d4ed4aa8cc3c69d1359b0aaea539203ed266", "versionType": "git" }, { "lessThan": "314dbee9fe4f5cee36435465de52c988d7caa466", "status": "affected", "version": "e624d4ed4aa8cc3c69d1359b0aaea539203ed266", "versionType": "git" }, { "lessThan": "0fca5ed4be8e8bfbfb9bd97845af596bab7192d3", "status": "affected", "version": "e624d4ed4aa8cc3c69d1359b0aaea539203ed266", "versionType": "git" }, { "lessThan": "cec288e05ceac9a0d3a3a1fd279534b11844c826", "status": "affected", "version": "e624d4ed4aa8cc3c69d1359b0aaea539203ed266", "versionType": "git" }, { "lessThan": "09d88791c7cd888d5195c84733caf9183dcfbd16", "status": "affected", "version": "e624d4ed4aa8cc3c69d1359b0aaea539203ed266", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "include/uapi/linux/bpf.h", "net/core/filter.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.14" }, { "lessThan": "5.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.170", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.115", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.59", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Make sure internal and UAPI bpf_redirect flags don\u0027t overlap\n\nThe bpf_redirect_info is shared between the SKB and XDP redirect paths,\nand the two paths use the same numeric flag values in the ri-\u003eflags\nfield (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that\nif skb bpf_redirect_neigh() is used with a non-NULL params argument and,\nsubsequently, an XDP redirect is performed using the same\nbpf_redirect_info struct, the XDP path will get confused and end up\ncrashing, which syzbot managed to trigger.\n\nWith the stack-allocated bpf_redirect_info, the structure is no longer\nshared between the SKB and XDP paths, so the crash doesn\u0027t happen\nanymore. However, different code paths using identically-numbered flag\nvalues in the same struct field still seems like a bit of a mess, so\nthis patch cleans that up by moving the flag definitions together and\nredefining the three flags in BPF_F_REDIRECT_INTERNAL to not overlap\nwith the flags used for XDP. It also adds a BUILD_BUG_ON() check to make\nsure the overlap is not re-introduced by mistake." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:26.654Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/4e1e428533845d48828bd3875c0e92e8565b9962" }, { "url": "https://git.kernel.org/stable/c/314dbee9fe4f5cee36435465de52c988d7caa466" }, { "url": "https://git.kernel.org/stable/c/0fca5ed4be8e8bfbfb9bd97845af596bab7192d3" }, { "url": "https://git.kernel.org/stable/c/cec288e05ceac9a0d3a3a1fd279534b11844c826" }, { "url": "https://git.kernel.org/stable/c/09d88791c7cd888d5195c84733caf9183dcfbd16" } ], "title": "bpf: Make sure internal and UAPI bpf_redirect flags don\u0027t overlap", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50163", "datePublished": "2024-11-07T09:31:40.146Z", "dateReserved": "2024-10-21T19:36:19.961Z", "dateUpdated": "2024-12-19T09:34:26.654Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2024-50163\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-11-07T10:15:07.627\",\"lastModified\":\"2024-11-22T17:34:53.297\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Make sure internal and UAPI bpf_redirect flags don\u0027t overlap\\n\\nThe bpf_redirect_info is shared between the SKB and XDP redirect paths,\\nand the two paths use the same numeric flag values in the ri-\u003eflags\\nfield (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that\\nif skb bpf_redirect_neigh() is used with a non-NULL params argument and,\\nsubsequently, an XDP redirect is performed using the same\\nbpf_redirect_info struct, the XDP path will get confused and end up\\ncrashing, which syzbot managed to trigger.\\n\\nWith the stack-allocated bpf_redirect_info, the structure is no longer\\nshared between the SKB and XDP paths, so the crash doesn\u0027t happen\\nanymore. However, different code paths using identically-numbered flag\\nvalues in the same struct field still seems like a bit of a mess, so\\nthis patch cleans that up by moving the flag definitions together and\\nredefining the three flags in BPF_F_REDIRECT_INTERNAL to not overlap\\nwith the flags used for XDP. It also adds a BUILD_BUG_ON() check to make\\nsure the overlap is not re-introduced by mistake.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Aseg\u00farese de que los indicadores bpf_redirect internos y de UAPI no se superpongan El bpf_redirect_info se comparte entre las rutas de redireccionamiento de SKB y XDP, y las dos rutas usan los mismos valores de indicador num\u00e9rico en el campo ri-\u0026gt;flags (espec\u00edficamente, BPF_F_BROADCAST == BPF_F_NEXTHOP). Esto significa que si se usa skb bpf_redirect_neigh() con un argumento params distinto de NULL y, posteriormente, se realiza una redirecci\u00f3n de XDP usando la misma estructura bpf_redirect_info, la ruta de XDP se confundir\u00e1 y terminar\u00e1 fallando, lo que syzbot logr\u00f3 activar. Con el bpf_redirect_info asignado a la pila, la estructura ya no se comparte entre las rutas de SKB y XDP, por lo que el bloqueo ya no ocurre. Sin embargo, el uso de diferentes rutas de c\u00f3digo que utilizan valores de indicadores numerados de manera id\u00e9ntica en el mismo campo de estructura sigue pareciendo un poco confuso, por lo que este parche soluciona el problema juntando las definiciones de indicadores y redefiniendo los tres indicadores en BPF_F_REDIRECT_INTERNAL para que no se superpongan con los indicadores utilizados para XDP. Tambi\u00e9n agrega una comprobaci\u00f3n BUILD_BUG_ON() para asegurarse de que la superposici\u00f3n no se vuelva a introducir por error.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.14\",\"versionEndExcluding\":\"5.15.170\",\"matchCriteriaId\":\"53E8194F-DD7E-4112-80DD-3E7EF9172D6D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.115\",\"matchCriteriaId\":\"C08A77A6-E42E-4EFD-B5A1-2BF6CBBB42AE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.59\",\"matchCriteriaId\":\"5D15CA59-D15C-4ACD-8B03-A072DEAD2081\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.11.6\",\"matchCriteriaId\":\"E4486B12-007B-4794-9857-F07145637AA1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F361E1D-580F-4A2D-A509-7615F73167A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"925478D0-3E3D-4E6F-ACD5-09F28D5DF82C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C95E234-D335-4B6C-96BF-E2CEBD8654ED\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/09d88791c7cd888d5195c84733caf9183dcfbd16\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/0fca5ed4be8e8bfbfb9bd97845af596bab7192d3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/314dbee9fe4f5cee36435465de52c988d7caa466\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4e1e428533845d48828bd3875c0e92e8565b9962\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cec288e05ceac9a0d3a3a1fd279534b11844c826\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.