Re: CVE-2024-50063: bpf: Prevent tail call between progs attached to different hooks
From: Shung-Hsi Yu
Date: Thu Oct 24 2024 - 00:05:06 EST
On Mon, Oct 21, 2024 at 09:40:04PM GMT, Greg Kroah-Hartman wrote:
> Description
> ===========
>
> In the Linux kernel, the following vulnerability has been resolved:
>
> bpf: Prevent tail call between progs attached to different hooks
>
> bpf progs can be attached to kernel functions, and the attached functions
> can take different parameters or return different return values. If
> prog attached to one kernel function tail calls prog attached to another
> kernel function, the ctx access or return value verification could be
> bypassed.
...
> This patch adds restriction for tail call to prevent such bypasses.
>
> The Linux kernel CVE team has assigned CVE-2024-50063 to this issue.
>
>
> Affected and fixed versions
> ===========================
I do not know that exact commit that introduced the issue, but given
that the fix addresses the following BPF program types:
- BPF_PROG_TYPE_TRACING (v5.5)
- BPF_PROG_TYPE_EXT (v5.6)
- BPF_PROG_TYPE_STRUCT_OPS (v5.6)
- BPF_PROG_TYPE_LSM (v5.7)
The earliest affected version possible should be v5.5.
> Fixed in 6.6.57 with commit 5d5e3b4cbe8e
> Fixed in 6.11.4 with commit 88c2a10e6c17
> Fixed in 6.12-rc1 with commit 28ead3eaabc1
...