CVE-2024-47702

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-47702
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-47702.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-47702
Downstream
Related
Published
2024-10-21T11:53:37Z
Modified
2025-10-17T13:34:49.447847Z
Summary
bpf: Fail verification for sign-extension of packet data/data_end/data_meta
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fail verification for sign-extension of packet data/dataend/datameta

syzbot reported a kernel crash due to commit 1f1e864b6555 ("bpf: Handle sign-extenstin ctx member accesses"). The reason is due to sign-extension of 32-bit load for packet data/dataend/datameta uapi field.

The original code looks like: r2 = (s32 *)(r1 + 76) / load _skbuff->data / r3 = *(u32 *)(r1 + 80) / load _skbuff->dataend */ r0 = r2 r0 += 8 if r3 > r0 goto +1 ... Note that _sk_buff->data load has 32-bit sign extension.

After verification and convertctxaccesses(), the final asm code looks like: r2 = *(u64 *)(r1 +208) r2 = (s32)r2 r3 = *(u64 *)(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1 ... Note that 'r2 = (s32)r2' may make the kernel _skbuff->data address invalid which may cause runtime failure.

Currently, in C code, typically we have void *data = (void *)(long)skb->data; void *dataend = (void *)(long)skb->dataend; ... and it will generate r2 = *(u64 *)(r1 +208) r3 = *(u64 *)(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1

If we allow sign-extension, void *data = (void *)(long)(int)skb->data; void *dataend = (void *)(long)skb->dataend; ... the generated code looks like r2 = *(u64 *)(r1 +208) r2 <<= 32 r2 s>>= 32 r3 = *(u64 *)(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1 and this will cause verification failure since "r2 <<= 32" is not allowed as "r2" is a packet pointer.

To fix this issue for case r2 = (s32 *)(r1 + 76) / load _skbuff->data */ this patch added additional checking in isvalidaccess() callback function for packet data/dataend/datameta access. If those accesses are with sign-extenstion, the verification will fail.

[1] https://lore.kernel.org/bpf/000000000000c90eee061d236d37@google.com/

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1f1e864b65554e33fe74e3377e58b12f4302f2eb
Fixed
f1620c93a1ec950d87ef327a565d3907736d3340
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1f1e864b65554e33fe74e3377e58b12f4302f2eb
Fixed
f09757fe97a225ae505886eac572e4cbfba96537
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1f1e864b65554e33fe74e3377e58b12f4302f2eb
Fixed
92de36080c93296ef9005690705cba260b9bd68a

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.10.1
v6.10.10
v6.10.11
v6.10.12
v6.10.2
v6.10.3
v6.10.4
v6.10.5
v6.10.6
v6.10.7
v6.10.8
v6.10.9
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.5
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.6.0
Fixed
6.10.13
Type
ECOSYSTEM
Events
Introduced
6.11.0
Fixed
6.11.2