CVE-2024-43837

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-43837
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-43837.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-43837
Downstream
Related
Published
2024-08-17T09:21:53Z
Modified
2025-10-17T10:34:20.256238Z
Summary
bpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix null pointer dereference in resolveprogtype() for BPFPROGTYPE_EXT

When loading a EXT program without specifying attr->attach_prog_fd, the prog->aux->dst_prog will be null. At this time, calling resolveprogtype() anywhere will result in a null pointer dereference.

Example stack trace:

[ 8.107863] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004 [ 8.108262] Mem abort info: [ 8.108384] ESR = 0x0000000096000004 [ 8.108547] EC = 0x25: DABT (current EL), IL = 32 bits [ 8.108722] SET = 0, FnV = 0 [ 8.108827] EA = 0, S1PTW = 0 [ 8.108939] FSC = 0x04: level 0 translation fault [ 8.109102] Data abort info: [ 8.109203] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 8.109399] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 8.109614] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 8.109836] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101354000 [ 8.110011] [0000000000000004] pgd=0000000000000000, p4d=0000000000000000 [ 8.112624] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 8.112783] Modules linked in: [ 8.113120] CPU: 0 PID: 99 Comm: mayaccessdire Not tainted 6.10.0-rc3-next-20240613-dirty #1 [ 8.113230] Hardware name: linux,dummy-virt (DT) [ 8.113390] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 8.113429] pc : mayaccessdirectpktdata+0x24/0xa0 [ 8.113746] lr : addsubprogandkfunc+0x634/0x8e8 [ 8.113798] sp : ffff80008283b9f0 [ 8.113813] x29: ffff80008283b9f0 x28: ffff800082795048 x27: 0000000000000001 [ 8.113881] x26: ffff0000c0bb2600 x25: 0000000000000000 x24: 0000000000000000 [ 8.113897] x23: ffff0000c1134000 x22: 000000000001864f x21: ffff0000c1138000 [ 8.113912] x20: 0000000000000001 x19: ffff0000c12b8000 x18: ffffffffffffffff [ 8.113929] x17: 0000000000000000 x16: 0000000000000000 x15: 0720072007200720 [ 8.113944] x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 [ 8.113958] x11: 0720072007200720 x10: 0000000000f9fca4 x9 : ffff80008021f4e4 [ 8.113991] x8 : 0101010101010101 x7 : 746f72705f6d656d x6 : 000000001e0e0f5f [ 8.114006] x5 : 000000000001864f x4 : ffff0000c12b8000 x3 : 000000000000001c [ 8.114020] x2 : 0000000000000002 x1 : 0000000000000000 x0 : 0000000000000000 [ 8.114126] Call trace: [ 8.114159] mayaccessdirectpktdata+0x24/0xa0 [ 8.114202] bpfcheck+0x3bc/0x28c0 [ 8.114214] bpfprogload+0x658/0xa58 [ 8.114227] _sysbpf+0xc50/0x2250 [ 8.114240] _arm64sysbpf+0x28/0x40 [ 8.114254] invokesyscall.constprop.0+0x54/0xf0 [ 8.114273] doel0svc+0x4c/0xd8 [ 8.114289] el0svc+0x3c/0x140 [ 8.114305] el0t64synchandler+0x134/0x150 [ 8.114331] el0t64sync+0x168/0x170 [ 8.114477] Code: 7100707f 54000081 f9401c00 f9403800 (b9400403) [ 8.118672] ---[ end trace 0000000000000000 ]---

One way to fix it is by forcing attach_prog_fd non-empty when bpfprogload(). But this will lead to libbpf_probe_bpf_prog_type API broken which use verifier log to probe prog type and will log nothing if we reject invalid EXT prog before bpf_check().

Another way is by adding null check in resolveprogtype().

The issue was introduced by commit 4a9c7bbe2ed4 ("bpf: Resolve to prog->aux->dstprog->type only for BPFPROGTYPEEXT") which wanted to correct type resolution for BPFPROGTYPETRACING programs. Before that, the type resolution of BPFPROGTYPEEXT prog actually follows the logic below:

prog->aux->dstprog ? prog->aux->dstprog->type : prog->type;

It implies that when EXT program is not yet attached to dst_prog, the prog type should be EXT itself. This code worked fine in the past. So just keep using it.

Fix this by returning prog->type for BPFPROGTYPEEXT if dst_prog is not present in resolveprog_type().

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4a9c7bbe2ed4d2b240674b1fb606c41d3940c412
Fixed
fcac5feb06f31ee4c88bca9bf98d8bc3ca7d2615
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4a9c7bbe2ed4d2b240674b1fb606c41d3940c412
Fixed
9d40fd516aeae6779e3c84c6b96700ca76285847
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4a9c7bbe2ed4d2b240674b1fb606c41d3940c412
Fixed
b29a880bb145e1f1c1df5ab88ed26b1495ff9f09
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4a9c7bbe2ed4d2b240674b1fb606c41d3940c412
Fixed
f7866c35873377313ff94398f17d425b28b71de1

Affected versions

v5.*

v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.100
v6.1.101
v6.1.102
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.54
v6.1.55
v6.1.56
v6.1.57
v6.1.58
v6.1.59
v6.1.6
v6.1.60
v6.1.61
v6.1.62
v6.1.63
v6.1.64
v6.1.65
v6.1.66
v6.1.67
v6.1.68
v6.1.69
v6.1.7
v6.1.70
v6.1.71
v6.1.72
v6.1.73
v6.1.74
v6.1.75
v6.1.76
v6.1.77
v6.1.78
v6.1.79
v6.1.8
v6.1.80
v6.1.81
v6.1.82
v6.1.83
v6.1.84
v6.1.85
v6.1.86
v6.1.87
v6.1.88
v6.1.89
v6.1.9
v6.1.90
v6.1.91
v6.1.92
v6.1.93
v6.1.94
v6.1.95
v6.1.96
v6.1.97
v6.1.98
v6.1.99
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.10.1
v6.10.2
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b29a880bb145e1f1c1df5ab88ed26b1495ff9f09",
        "signature_version": "v1",
        "target": {
            "file": "include/linux/bpf_verifier.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "26274091560468632788080403896241758732",
                "299487938658815896081440408727113478176",
                "290777485744559376279234023506199155772",
                "257731589538046347317610767496952496224"
            ]
        },
        "id": "CVE-2024-43837-0ed5271d"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9d40fd516aeae6779e3c84c6b96700ca76285847",
        "signature_version": "v1",
        "target": {
            "function": "resolve_prog_type",
            "file": "include/linux/bpf_verifier.h"
        },
        "digest": {
            "function_hash": "318338540772419881703440585586201538194",
            "length": 151.0
        },
        "id": "CVE-2024-43837-23182bde"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f7866c35873377313ff94398f17d425b28b71de1",
        "signature_version": "v1",
        "target": {
            "function": "resolve_prog_type",
            "file": "include/linux/bpf_verifier.h"
        },
        "digest": {
            "function_hash": "318338540772419881703440585586201538194",
            "length": 151.0
        },
        "id": "CVE-2024-43837-4051dc71"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fcac5feb06f31ee4c88bca9bf98d8bc3ca7d2615",
        "signature_version": "v1",
        "target": {
            "function": "resolve_prog_type",
            "file": "include/linux/bpf_verifier.h"
        },
        "digest": {
            "function_hash": "318338540772419881703440585586201538194",
            "length": 151.0
        },
        "id": "CVE-2024-43837-574eac0c"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f7866c35873377313ff94398f17d425b28b71de1",
        "signature_version": "v1",
        "target": {
            "file": "include/linux/bpf_verifier.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "26274091560468632788080403896241758732",
                "299487938658815896081440408727113478176",
                "290777485744559376279234023506199155772",
                "257731589538046347317610767496952496224"
            ]
        },
        "id": "CVE-2024-43837-63e57de0"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9d40fd516aeae6779e3c84c6b96700ca76285847",
        "signature_version": "v1",
        "target": {
            "file": "include/linux/bpf_verifier.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "26274091560468632788080403896241758732",
                "299487938658815896081440408727113478176",
                "290777485744559376279234023506199155772",
                "257731589538046347317610767496952496224"
            ]
        },
        "id": "CVE-2024-43837-69ea0d49"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b29a880bb145e1f1c1df5ab88ed26b1495ff9f09",
        "signature_version": "v1",
        "target": {
            "function": "resolve_prog_type",
            "file": "include/linux/bpf_verifier.h"
        },
        "digest": {
            "function_hash": "318338540772419881703440585586201538194",
            "length": 151.0
        },
        "id": "CVE-2024-43837-79ccbf2b"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fcac5feb06f31ee4c88bca9bf98d8bc3ca7d2615",
        "signature_version": "v1",
        "target": {
            "file": "include/linux/bpf_verifier.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "26274091560468632788080403896241758732",
                "299487938658815896081440408727113478176",
                "290777485744559376279234023506199155772",
                "257731589538046347317610767496952496224"
            ]
        },
        "id": "CVE-2024-43837-990c26a4"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.18.0
Fixed
6.1.103
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.44
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.10.3