cve-2024-50162
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: devmap: provide rxq after redirect
rxq contains a pointer to the device from where
the redirect happened. Currently, the BPF program
that was executed after a redirect via BPF_MAP_TYPE_DEVMAP*
does not have it set.
This is particularly bad since accessing ingress_ifindex, e.g.
SEC("xdp")
int prog(struct xdp_md *pkt)
{
return bpf_redirect_map(&dev_redirect_map, 0, 0);
}
SEC("xdp/devmap")
int prog_after_redirect(struct xdp_md *pkt)
{
bpf_printk("ifindex %i", pkt->ingress_ifindex);
return XDP_PASS;
}
depends on access to rxq, so a NULL pointer gets dereferenced:
<1>[ 574.475170] BUG: kernel NULL pointer dereference, address: 0000000000000000
<1>[ 574.475188] #PF: supervisor read access in kernel mode
<1>[ 574.475194] #PF: error_code(0x0000) - not-present page
<6>[ 574.475199] PGD 0 P4D 0
<4>[ 574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
<4>[ 574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 Not tainted 6.11.0-rc5-reduced-00859-g780801200300 #23
<4>[ 574.475226] Hardware name: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 03/14/2023
<4>[ 574.475231] Workqueue: mld mld_ifc_work
<4>[ 574.475247] RIP: 0010:bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c
<4>[ 574.475257] Code: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 <48> 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b
<4>[ 574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206
<4>[ 574.475269] RAX: ffffa62440280cd8 RBX: 0000000000000001 RCX: 0000000000000000
<4>[ 574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0
<4>[ 574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001
<4>[ 574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000
<4>[ 574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000
<4>[ 574.475289] FS: 0000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000
<4>[ 574.475294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4>[ 574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0
<4>[ 574.475303] PKRU: 55555554
<4>[ 574.475306] Call Trace:
<4>[ 574.475313] <IRQ>
<4>[ 574.475318] ? __die+0x23/0x70
<4>[ 574.475329] ? page_fault_oops+0x180/0x4c0
<4>[ 574.475339] ? skb_pp_cow_data+0x34c/0x490
<4>[ 574.475346] ? kmem_cache_free+0x257/0x280
<4>[ 574.475357] ? exc_page_fault+0x67/0x150
<4>[ 574.475368] ? asm_exc_page_fault+0x26/0x30
<4>[ 574.475381] ? bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c
<4>[ 574.475386] bq_xmit_all+0x158/0x420
<4>[ 574.475397] __dev_flush+0x30/0x90
<4>[ 574.475407] veth_poll+0x216/0x250 [veth]
<4>[ 574.475421] __napi_poll+0x28/0x1c0
<4>[ 574.475430] net_rx_action+0x32d/0x3a0
<4>[ 574.475441] handle_softirqs+0xcb/0x2c0
<4>[ 574.475451] do_softirq+0x40/0x60
<4>[ 574.475458] </IRQ>
<4>[ 574.475461] <TASK>
<4>[ 574.475464] __local_bh_enable_ip+0x66/0x70
<4>[ 574.475471] __dev_queue_xmit+0x268/0xe40
<4>[ 574.475480] ? selinux_ip_postroute+0x213/0x420
<4>[ 574.475491] ? alloc_skb_with_frags+0x4a/0x1d0
<4>[ 574.475502] ip6_finish_output2+0x2be/0x640
<4>[ 574.475512] ? nf_hook_slow+0x42/0xf0
<4>[ 574.475521] ip6_finish_output+0x194/0x300
<4>[ 574.475529] ? __pfx_ip6_finish_output+0x10/0x10
<4>[ 574.475538] mld_sendpack+0x17c/0x240
<4>[ 574.475548] mld_ifc_work+0x192/0x410
<4>[ 574.475557] process_one_work+0x15d/0x380
<4>[ 574.475566] worker_thread+0x29d/0x3a0
<4>[ 574.475573] ? __pfx_worker_thread+0x10/0x10
<4>[ 574.475580] ? __pfx_worker_thread+0x10/0x10
<4>[ 574.475587] kthread+0xcd/0x100
<4>[ 574.475597] ? __pfx_kthread+0x10/0x10
<4>[ 574.475606] ret_from_fork+0x31/0x50
<4>[ 574.475615] ? __pfx_kthread+0x10/0x10
<4>[ 574.475623] ret_from_fork_asm+0x1a/0x
---truncated---
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: cb261b594b4108668e00f565184c7c221efe0359 Version: cb261b594b4108668e00f565184c7c221efe0359 Version: cb261b594b4108668e00f565184c7c221efe0359 Version: cb261b594b4108668e00f565184c7c221efe0359 Version: cb261b594b4108668e00f565184c7c221efe0359 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "kernel/bpf/devmap.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "fe068afb868660fe683a8391c6c17ecbe2254922", "status": "affected", "version": "cb261b594b4108668e00f565184c7c221efe0359", "versionType": "git" }, { "lessThan": "a778fbe087c19f4ece5f5fc14173328f070c3803", "status": "affected", "version": "cb261b594b4108668e00f565184c7c221efe0359", "versionType": "git" }, { "lessThan": "49454f09936a9a96edfb047156889879cb4001eb", "status": "affected", "version": "cb261b594b4108668e00f565184c7c221efe0359", "versionType": "git" }, { "lessThan": "9167d1c274a336e4763eeb3f3f9cb763c55df5aa", "status": "affected", "version": "cb261b594b4108668e00f565184c7c221efe0359", "versionType": "git" }, { "lessThan": "ca9984c5f0ab3690d98b13937b2485a978c8dd73", "status": "affected", "version": "cb261b594b4108668e00f565184c7c221efe0359", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "kernel/bpf/devmap.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.14" }, { "lessThan": "5.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.170", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.115", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.59", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: devmap: provide rxq after redirect\n\nrxq contains a pointer to the device from where\nthe redirect happened. Currently, the BPF program\nthat was executed after a redirect via BPF_MAP_TYPE_DEVMAP*\ndoes not have it set.\n\nThis is particularly bad since accessing ingress_ifindex, e.g.\n\nSEC(\"xdp\")\nint prog(struct xdp_md *pkt)\n{\n return bpf_redirect_map(\u0026dev_redirect_map, 0, 0);\n}\n\nSEC(\"xdp/devmap\")\nint prog_after_redirect(struct xdp_md *pkt)\n{\n bpf_printk(\"ifindex %i\", pkt-\u003eingress_ifindex);\n return XDP_PASS;\n}\n\ndepends on access to rxq, so a NULL pointer gets dereferenced:\n\n\u003c1\u003e[ 574.475170] BUG: kernel NULL pointer dereference, address: 0000000000000000\n\u003c1\u003e[ 574.475188] #PF: supervisor read access in kernel mode\n\u003c1\u003e[ 574.475194] #PF: error_code(0x0000) - not-present page\n\u003c6\u003e[ 574.475199] PGD 0 P4D 0\n\u003c4\u003e[ 574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n\u003c4\u003e[ 574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 Not tainted 6.11.0-rc5-reduced-00859-g780801200300 #23\n\u003c4\u003e[ 574.475226] Hardware name: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 03/14/2023\n\u003c4\u003e[ 574.475231] Workqueue: mld mld_ifc_work\n\u003c4\u003e[ 574.475247] RIP: 0010:bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c\n\u003c4\u003e[ 574.475257] Code: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 \u003c48\u003e 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b\n\u003c4\u003e[ 574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206\n\u003c4\u003e[ 574.475269] RAX: ffffa62440280cd8 RBX: 0000000000000001 RCX: 0000000000000000\n\u003c4\u003e[ 574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0\n\u003c4\u003e[ 574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001\n\u003c4\u003e[ 574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000\n\u003c4\u003e[ 574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000\n\u003c4\u003e[ 574.475289] FS: 0000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000\n\u003c4\u003e[ 574.475294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\u003c4\u003e[ 574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0\n\u003c4\u003e[ 574.475303] PKRU: 55555554\n\u003c4\u003e[ 574.475306] Call Trace:\n\u003c4\u003e[ 574.475313] \u003cIRQ\u003e\n\u003c4\u003e[ 574.475318] ? __die+0x23/0x70\n\u003c4\u003e[ 574.475329] ? page_fault_oops+0x180/0x4c0\n\u003c4\u003e[ 574.475339] ? skb_pp_cow_data+0x34c/0x490\n\u003c4\u003e[ 574.475346] ? kmem_cache_free+0x257/0x280\n\u003c4\u003e[ 574.475357] ? exc_page_fault+0x67/0x150\n\u003c4\u003e[ 574.475368] ? asm_exc_page_fault+0x26/0x30\n\u003c4\u003e[ 574.475381] ? bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c\n\u003c4\u003e[ 574.475386] bq_xmit_all+0x158/0x420\n\u003c4\u003e[ 574.475397] __dev_flush+0x30/0x90\n\u003c4\u003e[ 574.475407] veth_poll+0x216/0x250 [veth]\n\u003c4\u003e[ 574.475421] __napi_poll+0x28/0x1c0\n\u003c4\u003e[ 574.475430] net_rx_action+0x32d/0x3a0\n\u003c4\u003e[ 574.475441] handle_softirqs+0xcb/0x2c0\n\u003c4\u003e[ 574.475451] do_softirq+0x40/0x60\n\u003c4\u003e[ 574.475458] \u003c/IRQ\u003e\n\u003c4\u003e[ 574.475461] \u003cTASK\u003e\n\u003c4\u003e[ 574.475464] __local_bh_enable_ip+0x66/0x70\n\u003c4\u003e[ 574.475471] __dev_queue_xmit+0x268/0xe40\n\u003c4\u003e[ 574.475480] ? selinux_ip_postroute+0x213/0x420\n\u003c4\u003e[ 574.475491] ? alloc_skb_with_frags+0x4a/0x1d0\n\u003c4\u003e[ 574.475502] ip6_finish_output2+0x2be/0x640\n\u003c4\u003e[ 574.475512] ? nf_hook_slow+0x42/0xf0\n\u003c4\u003e[ 574.475521] ip6_finish_output+0x194/0x300\n\u003c4\u003e[ 574.475529] ? __pfx_ip6_finish_output+0x10/0x10\n\u003c4\u003e[ 574.475538] mld_sendpack+0x17c/0x240\n\u003c4\u003e[ 574.475548] mld_ifc_work+0x192/0x410\n\u003c4\u003e[ 574.475557] process_one_work+0x15d/0x380\n\u003c4\u003e[ 574.475566] worker_thread+0x29d/0x3a0\n\u003c4\u003e[ 574.475573] ? __pfx_worker_thread+0x10/0x10\n\u003c4\u003e[ 574.475580] ? __pfx_worker_thread+0x10/0x10\n\u003c4\u003e[ 574.475587] kthread+0xcd/0x100\n\u003c4\u003e[ 574.475597] ? __pfx_kthread+0x10/0x10\n\u003c4\u003e[ 574.475606] ret_from_fork+0x31/0x50\n\u003c4\u003e[ 574.475615] ? __pfx_kthread+0x10/0x10\n\u003c4\u003e[ 574.475623] ret_from_fork_asm+0x1a/0x\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:25.474Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/fe068afb868660fe683a8391c6c17ecbe2254922" }, { "url": "https://git.kernel.org/stable/c/a778fbe087c19f4ece5f5fc14173328f070c3803" }, { "url": "https://git.kernel.org/stable/c/49454f09936a9a96edfb047156889879cb4001eb" }, { "url": "https://git.kernel.org/stable/c/9167d1c274a336e4763eeb3f3f9cb763c55df5aa" }, { "url": "https://git.kernel.org/stable/c/ca9984c5f0ab3690d98b13937b2485a978c8dd73" } ], "title": "bpf: devmap: provide rxq after redirect", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50162", "datePublished": "2024-11-07T09:31:39.141Z", "dateReserved": "2024-10-21T19:36:19.961Z", "dateUpdated": "2024-12-19T09:34:25.474Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2024-50162\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-11-07T10:15:07.553\",\"lastModified\":\"2024-11-22T20:37:04.090\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: devmap: provide rxq after redirect\\n\\nrxq contains a pointer to the device from where\\nthe redirect happened. Currently, the BPF program\\nthat was executed after a redirect via BPF_MAP_TYPE_DEVMAP*\\ndoes not have it set.\\n\\nThis is particularly bad since accessing ingress_ifindex, e.g.\\n\\nSEC(\\\"xdp\\\")\\nint prog(struct xdp_md *pkt)\\n{\\n return bpf_redirect_map(\u0026dev_redirect_map, 0, 0);\\n}\\n\\nSEC(\\\"xdp/devmap\\\")\\nint prog_after_redirect(struct xdp_md *pkt)\\n{\\n bpf_printk(\\\"ifindex %i\\\", pkt-\u003eingress_ifindex);\\n return XDP_PASS;\\n}\\n\\ndepends on access to rxq, so a NULL pointer gets dereferenced:\\n\\n\u003c1\u003e[ 574.475170] BUG: kernel NULL pointer dereference, address: 0000000000000000\\n\u003c1\u003e[ 574.475188] #PF: supervisor read access in kernel mode\\n\u003c1\u003e[ 574.475194] #PF: error_code(0x0000) - not-present page\\n\u003c6\u003e[ 574.475199] PGD 0 P4D 0\\n\u003c4\u003e[ 574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\\n\u003c4\u003e[ 574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 Not tainted 6.11.0-rc5-reduced-00859-g780801200300 #23\\n\u003c4\u003e[ 574.475226] Hardware name: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 03/14/2023\\n\u003c4\u003e[ 574.475231] Workqueue: mld mld_ifc_work\\n\u003c4\u003e[ 574.475247] RIP: 0010:bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c\\n\u003c4\u003e[ 574.475257] Code: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 \u003c48\u003e 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b\\n\u003c4\u003e[ 574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206\\n\u003c4\u003e[ 574.475269] RAX: ffffa62440280cd8 RBX: 0000000000000001 RCX: 0000000000000000\\n\u003c4\u003e[ 574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0\\n\u003c4\u003e[ 574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001\\n\u003c4\u003e[ 574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000\\n\u003c4\u003e[ 574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000\\n\u003c4\u003e[ 574.475289] FS: 0000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000\\n\u003c4\u003e[ 574.475294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n\u003c4\u003e[ 574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0\\n\u003c4\u003e[ 574.475303] PKRU: 55555554\\n\u003c4\u003e[ 574.475306] Call Trace:\\n\u003c4\u003e[ 574.475313] \u003cIRQ\u003e\\n\u003c4\u003e[ 574.475318] ? __die+0x23/0x70\\n\u003c4\u003e[ 574.475329] ? page_fault_oops+0x180/0x4c0\\n\u003c4\u003e[ 574.475339] ? skb_pp_cow_data+0x34c/0x490\\n\u003c4\u003e[ 574.475346] ? kmem_cache_free+0x257/0x280\\n\u003c4\u003e[ 574.475357] ? exc_page_fault+0x67/0x150\\n\u003c4\u003e[ 574.475368] ? asm_exc_page_fault+0x26/0x30\\n\u003c4\u003e[ 574.475381] ? bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c\\n\u003c4\u003e[ 574.475386] bq_xmit_all+0x158/0x420\\n\u003c4\u003e[ 574.475397] __dev_flush+0x30/0x90\\n\u003c4\u003e[ 574.475407] veth_poll+0x216/0x250 [veth]\\n\u003c4\u003e[ 574.475421] __napi_poll+0x28/0x1c0\\n\u003c4\u003e[ 574.475430] net_rx_action+0x32d/0x3a0\\n\u003c4\u003e[ 574.475441] handle_softirqs+0xcb/0x2c0\\n\u003c4\u003e[ 574.475451] do_softirq+0x40/0x60\\n\u003c4\u003e[ 574.475458] \u003c/IRQ\u003e\\n\u003c4\u003e[ 574.475461] \u003cTASK\u003e\\n\u003c4\u003e[ 574.475464] __local_bh_enable_ip+0x66/0x70\\n\u003c4\u003e[ 574.475471] __dev_queue_xmit+0x268/0xe40\\n\u003c4\u003e[ 574.475480] ? selinux_ip_postroute+0x213/0x420\\n\u003c4\u003e[ 574.475491] ? alloc_skb_with_frags+0x4a/0x1d0\\n\u003c4\u003e[ 574.475502] ip6_finish_output2+0x2be/0x640\\n\u003c4\u003e[ 574.475512] ? nf_hook_slow+0x42/0xf0\\n\u003c4\u003e[ 574.475521] ip6_finish_output+0x194/0x300\\n\u003c4\u003e[ 574.475529] ? __pfx_ip6_finish_output+0x10/0x10\\n\u003c4\u003e[ 574.475538] mld_sendpack+0x17c/0x240\\n\u003c4\u003e[ 574.475548] mld_ifc_work+0x192/0x410\\n\u003c4\u003e[ 574.475557] process_one_work+0x15d/0x380\\n\u003c4\u003e[ 574.475566] worker_thread+0x29d/0x3a0\\n\u003c4\u003e[ 574.475573] ? __pfx_worker_thread+0x10/0x10\\n\u003c4\u003e[ 574.475580] ? __pfx_worker_thread+0x10/0x10\\n\u003c4\u003e[ 574.475587] kthread+0xcd/0x100\\n\u003c4\u003e[ 574.475597] ? __pfx_kthread+0x10/0x10\\n\u003c4\u003e[ 574.475606] ret_from_fork+0x31/0x50\\n\u003c4\u003e[ 574.475615] ? __pfx_kthread+0x10/0x10\\n\u003c4\u003e[ 574.475623] ret_from_fork_asm+0x1a/0x\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: devmap: proporcionar rxq despu\u00e9s de la redirecci\u00f3n rxq contiene un puntero al dispositivo desde donde se produjo la redirecci\u00f3n. Actualmente, el programa BPF que se ejecut\u00f3 despu\u00e9s de una redirecci\u00f3n a trav\u00e9s de BPF_MAP_TYPE_DEVMAP* no lo tiene configurado. Esto es particularmente malo ya que se accede a ingress_ifindex, p. ej. SEC(\\\"xdp\\\") int prog(struct xdp_md *pkt) { return bpf_redirect_map(\u0026amp;dev_redirect_map, 0, 0); } SEC(\\\"xdp/devmap\\\") int prog_after_redirect(struct xdp_md *pkt) { bpf_printk(\\\"ifindex %i\\\", pkt-\u0026gt;ingress_ifindex); return XDP_PASS; } depende del acceso a rxq, por lo que un puntero NULL se desreferencia: \u0026lt;1\u0026gt;[ 574.475170] ERROR: desreferencia de puntero NULL del n\u00facleo, direcci\u00f3n: 0000000000000000 \u0026lt;1\u0026gt;[ 574.475188] #PF: acceso de lectura del supervisor en modo n\u00facleo \u0026lt;1\u0026gt;[ 574.475194] #PF: error_code(0x0000) - p\u00e1gina no presente \u0026lt;6\u0026gt;[ 574.475199] PGD 0 P4D 0 \u0026lt;4\u0026gt;[ 574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI \u0026lt;4\u0026gt;[ 574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 No contaminado 6.11.0-rc5-reduced-00859-g780801200300 #23 \u0026lt;4\u0026gt;[ 574.475226] Nombre del hardware: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 14/03/2023 \u0026lt;4\u0026gt;[ 574.475231] Cola de trabajo: mld mld_ifc_work \u0026lt;4\u0026gt;[ 574.475247] RIP: 0010:bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c \u0026lt;4\u0026gt;[ 574.475257] C\u00f3digo: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 \u0026lt;48\u0026gt; 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b \u0026lt;4\u0026gt;[ 574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206 \u0026lt;4\u0026gt;[ 574.475269] RAX: ffffa62440280cd8 RBX: 00000000000000001 RCX: 0000000000000000 \u0026lt;4\u0026gt;[ 574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0 \u0026lt;4\u0026gt;[ 574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001 \u0026lt;4\u0026gt;[ 574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000 \u0026lt;4\u0026gt;[ 574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000 \u0026lt;4\u0026gt;[ 574.475289] FS: 000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000 \u0026lt;4\u0026gt;[ 574.475294] CS: 0010 DS: 0000 ES: 0000 CR0: 000000080050033 \u0026lt;4\u0026gt;[ 574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0 \u0026lt;4\u0026gt;[ 574.475303] PKRU: 55555554 \u0026lt;4\u0026gt;[ 574.475306] Rastreo de llamadas: \u0026lt;4\u0026gt;[ 574.475313] \u0026lt;4\u0026gt;[ 574.475318] ? __die+0x23/0x70 \u0026lt;4\u0026gt;[ 574.475329] ? page_fault_oops+0x180/0x4c0 \u0026lt;4\u0026gt;[ 574.475339] ? asm_exc_page_fault+0x26/0x30 \u0026lt;4\u0026gt;[ 574.475381] ? bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c \u0026lt;4\u0026gt;[ 574.475386] bq_xmit_all+0x158/0x420 \u0026lt;4\u0026gt;[ 574.475397] __dev_flush+0x30/0x90 \u0026lt;4\u0026gt;[ 574.475407] veth_poll+0x216/0x250 [veth] \u0026lt;4\u0026gt;[ 574.475421] __napi_poll+0x28/0x1c0 \u0026lt;4\u0026gt;[ 574.475430] net_rx_action+0x32d/0x3a0 \u0026lt;4\u0026gt;[ 574.475441] selinux_ip_postroute+0x213/0x420 \u0026lt;4\u0026gt;[ 574.475491] ? nf_hook_slow+0x42/0xf0 \u0026lt;4\u0026gt;[ 574.475521] ip6_finish_output+0x194/0x300 \u0026lt;4\u0026gt;[ 574.475529] ? __pfx_ip6_finish_output+0x10/0x10 \u0026lt;4\u0026gt;[ 574.475538] mld_sendpack+0x17c/0x240 \u0026lt;4\u0026gt;[ 574.475548] mld_ifc_work+0x192/0x410 \u0026lt;4\u0026gt;[ 574.475557] proceso_uno_trabajo+0x15d/0x380 \u0026lt;4\u0026gt;[ 574.475566] subproceso_trabajador+0x29d/0x3a0 \u0026lt;4\u0026gt;[ 574.475573] ? __pfx_worker_thread+0x10/0x10 \u0026lt;4\u0026gt;[ 574.475580] ? __pfx_worker_thread+0x10/0x10 \u0026lt;4\u0026gt;[ 574.475587] kthread+0xcd/0x100 \u0026lt;4\u0026gt;[ 574.475597] ? __pfx_kthread+0x10/0x10 \u0026lt;4\u0026gt;[ 574.475606] ret_from_fork+0x31/0x50 \u0026lt;4\u0026gt;[ 574.475615] ? __pfx_kthread+0x10/0x10 \u0026lt;4\u0026gt;[ 574.475623] ret_from_fork_asm+0x1a/0x ---truncado---\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.14\",\"versionEndExcluding\":\"5.15.170\",\"matchCriteriaId\":\"53E8194F-DD7E-4112-80DD-3E7EF9172D6D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.115\",\"matchCriteriaId\":\"C08A77A6-E42E-4EFD-B5A1-2BF6CBBB42AE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.59\",\"matchCriteriaId\":\"5D15CA59-D15C-4ACD-8B03-A072DEAD2081\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.11.6\",\"matchCriteriaId\":\"E4486B12-007B-4794-9857-F07145637AA1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F361E1D-580F-4A2D-A509-7615F73167A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"925478D0-3E3D-4E6F-ACD5-09F28D5DF82C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C95E234-D335-4B6C-96BF-E2CEBD8654ED\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/49454f09936a9a96edfb047156889879cb4001eb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9167d1c274a336e4763eeb3f3f9cb763c55df5aa\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a778fbe087c19f4ece5f5fc14173328f070c3803\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ca9984c5f0ab3690d98b13937b2485a978c8dd73\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/fe068afb868660fe683a8391c6c17ecbe2254922\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.