CVE-2024-58098
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-58098
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-58098.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-58098
- Downstream
- Related
- Published
- 2025-05-05T14:53:32.417Z
- Modified
- 2025-11-16T12:24:24.639747Z
- Summary
- bpf: track changes_pkt_data property for global functions
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bpf: track changespktdata property for global functions
When processing calls to certain helpers, verifier invalidates all packet pointers in a current state. For example, consider the following program:
__attribute__((__noinline__)) long skb_pull_data(struct __sk_buff *sk, __u32 len) { return bpf_skb_pull_data(sk, len); } SEC("tc") int test_invalidate_checks(struct __sk_buff *sk) { int *p = (void *)(long)sk->data; if ((void *)(p + 1) > (void *)(long)sk->data_end) return TCX_DROP; skb_pull_data(sk, 0); *p = 42; return TCX_PASS; }After a call to bpfskbpulldata() the pointer 'p' can't be used safely. See function filter.c:bpfhelperchangespkt_data() for a list of such helpers.
At the moment verifier invalidates packet pointers when processing helper function calls, and does not traverse global sub-programs when processing calls to global sub-programs. This means that calls to helpers done from global sub-programs do not invalidate pointers in the caller state. E.g. the program above is unsafe, but is not rejected by verifier.
This commit fixes the omission by computing field bpfsubproginfo->changespktdata for each sub-program before main verification pass. changespktdata should be set if: - subprogram calls helper for which bpfhelperchangespktdata returns true; - subprogram calls a global function, for which bpfsubproginfo->changespktdata should be set.
The verifier.c:checkcfg() pass is modified to compute this information. The commit relies on depth first instruction traversal done by checkcfg() and absence of recursive function calls: - checkcfg() would eventually visit every call to subprogram S in a state when S is fully explored; - when S is fully explored: - every direct helper call within S is explored (and thus changespktdata is set if needed); - every call to subprogram S1 called by S was visited with S1 fully explored (and thus S inherits changespkt_data from S1).
The downside of such approach is that dead code elimination is not taken into account: if a helper call inside global function is dead because of current configuration, verifier would conservatively assume that the call occurs for the purpose of the changespktdata computation.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced51c39bb1d5d105a02e29aa7960f0a395086e6342Fixed79751e9227a5910c0e5a2c7186877d91821d957d
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced51c39bb1d5d105a02e29aa7960f0a395086e6342Fixed1d572c60488b52882b719ed273767ee3b280413d
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced51c39bb1d5d105a02e29aa7960f0a395086e6342Fixed51081a3f25c742da5a659d7fc6fd77ebfdd555be
Affected versions
v5.*
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.5
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13-rc1
v6.13-rc2
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.6
v6.6.60
v6.6.61
v6.6.62
v6.6.63
v6.6.64
v6.6.65
v6.6.66
v6.6.67
v6.6.68
v6.6.69
v6.6.7
v6.6.70
v6.6.71
v6.6.72
v6.6.73
v6.6.74
v6.6.75
v6.6.76
v6.6.77
v6.6.78
v6.6.79
v6.6.8
v6.6.80
v6.6.81
v6.6.82
v6.6.83
v6.6.84
v6.6.85
v6.6.86
v6.6.87
v6.6.88
v6.6.89
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"digest": {
"length": 448.0,
"function_hash": "297280354096895661114096221933074184276"
},
"target": {
"file": "kernel/bpf/verifier.c",
"function": "visit_func_call_insn"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@51081a3f25c742da5a659d7fc6fd77ebfdd555be",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-58098-0d0e2a3f",
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"52284824093470831099447178676765753376",
"261361858581974102605613198465664476129",
"200505641313762809578063035334292562469",
"175531399549493799789883654816673115254"
]
},
"target": {
"file": "include/linux/bpf_verifier.h"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@51081a3f25c742da5a659d7fc6fd77ebfdd555be",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-58098-501cc7eb",
"signature_version": "v1"
},
{
"digest": {
"length": 1570.0,
"function_hash": "333348521390523232425304740713593168772"
},
"target": {
"file": "kernel/bpf/verifier.c",
"function": "visit_insn"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@79751e9227a5910c0e5a2c7186877d91821d957d",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-58098-5d59b879",
"signature_version": "v1"
},
{
"digest": {
"length": 1730.0,
"function_hash": "158887222337749801170908135126392510144"
},
"target": {
"file": "kernel/bpf/verifier.c",
"function": "check_func_call"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@51081a3f25c742da5a659d7fc6fd77ebfdd555be",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-58098-5f5b7557",
"signature_version": "v1"
},
{
"digest": {
"length": 1735.0,
"function_hash": "184392112503491277564962690146839999684"
},
"target": {
"file": "kernel/bpf/verifier.c",
"function": "check_func_call"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d572c60488b52882b719ed273767ee3b280413d",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-58098-64b1f981",
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"330775922854360129995506128449783364911",
"169139860711660247265806969242833475569",
"320809317568119759250696043882919789944",
"20129899727210854772669152290292556404"
]
},
"target": {
"file": "include/linux/bpf_verifier.h"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@79751e9227a5910c0e5a2c7186877d91821d957d",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-58098-750b2ea8",
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"106465026162770806617866549735666408349",
"320693043426728656325972073057018555858",
"171325104165703540187373692713356124320",
"252974806690749848738305026937449183127",
"129685781228347966045666954720786443815",
"337286213630885902811217975415168460751",
"313168034836195276785566480327599340883",
"149245689690554677241102811177739974897",
"290725641285484879859385254294768484187",
"257004245199321442084458541996553557496",
"258816208200982003936806775556842742377",
"221012222858821329721718618999107712090",
"137530148043012200030414728981061764676",
"162016965516736489033528955125948414993",
"83280600549578892042000537528876289709",
"138982363188168795635602618235608352519",
"333092153282623189887879295799567285761",
"40039232917883768709239162553945029715",
"37031010212905605142316017559594134407",
"97605711995622239137672370383876601606",
"15936105861748957284154227887141352332"
]
},
"target": {
"file": "kernel/bpf/verifier.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d572c60488b52882b719ed273767ee3b280413d",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-58098-895c2715",
"signature_version": "v1"
},
{
"digest": {
"length": 1575.0,
"function_hash": "34574149578227893996121582841813887993"
},
"target": {
"file": "kernel/bpf/verifier.c",
"function": "visit_insn"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d572c60488b52882b719ed273767ee3b280413d",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-58098-8bed6c35",
"signature_version": "v1"
},
{
"digest": {
"length": 448.0,
"function_hash": "297280354096895661114096221933074184276"
},
"target": {
"file": "kernel/bpf/verifier.c",
"function": "visit_func_call_insn"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@79751e9227a5910c0e5a2c7186877d91821d957d",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-58098-9c67eefc",
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"85034204048979904608592956995765980996",
"323750193802644159623735311261894641327",
"190185786498461568559255796409572626559",
"330498834169027840159544390980913043788",
"129685781228347966045666954720786443815",
"337286213630885902811217975415168460751",
"313168034836195276785566480327599340883",
"149245689690554677241102811177739974897",
"290725641285484879859385254294768484187",
"257004245199321442084458541996553557496",
"258816208200982003936806775556842742377",
"221012222858821329721718618999107712090",
"137530148043012200030414728981061764676",
"162016965516736489033528955125948414993",
"83280600549578892042000537528876289709",
"138982363188168795635602618235608352519",
"333092153282623189887879295799567285761",
"40039232917883768709239162553945029715",
"37031010212905605142316017559594134407",
"97605711995622239137672370383876601606",
"15936105861748957284154227887141352332"
]
},
"target": {
"file": "kernel/bpf/verifier.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@79751e9227a5910c0e5a2c7186877d91821d957d",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-58098-a25c7d03",
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"52284824093470831099447178676765753376",
"281146539610094791214650434600441499102",
"1919737116299986710366650769001728034",
"267627490773810335839051702758505898600"
]
},
"target": {
"file": "include/linux/bpf_verifier.h"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d572c60488b52882b719ed273767ee3b280413d",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-58098-b981b827",
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"106465026162770806617866549735666408349",
"320693043426728656325972073057018555858",
"171325104165703540187373692713356124320",
"252974806690749848738305026937449183127",
"129685781228347966045666954720786443815",
"337286213630885902811217975415168460751",
"313168034836195276785566480327599340883",
"149245689690554677241102811177739974897",
"290725641285484879859385254294768484187",
"257004245199321442084458541996553557496",
"258816208200982003936806775556842742377",
"221012222858821329721718618999107712090",
"137530148043012200030414728981061764676",
"162016965516736489033528955125948414993",
"83280600549578892042000537528876289709",
"138982363188168795635602618235608352519",
"333092153282623189887879295799567285761",
"40039232917883768709239162553945029715",
"37031010212905605142316017559594134407",
"97605711995622239137672370383876601606",
"15936105861748957284154227887141352332"
]
},
"target": {
"file": "kernel/bpf/verifier.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@51081a3f25c742da5a659d7fc6fd77ebfdd555be",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-58098-b9b0982a",
"signature_version": "v1"
},
{
"digest": {
"length": 448.0,
"function_hash": "297280354096895661114096221933074184276"
},
"target": {
"file": "kernel/bpf/verifier.c",
"function": "visit_func_call_insn"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1d572c60488b52882b719ed273767ee3b280413d",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-58098-d4090db6",
"signature_version": "v1"
},
{
"digest": {
"length": 1264.0,
"function_hash": "263129774679533850730185668853380943177"
},
"target": {
"file": "kernel/bpf/verifier.c",
"function": "check_func_call"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@79751e9227a5910c0e5a2c7186877d91821d957d",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-58098-e6c3f896",
"signature_version": "v1"
},
{
"digest": {
"length": 1575.0,
"function_hash": "34574149578227893996121582841813887993"
},
"target": {
"file": "kernel/bpf/verifier.c",
"function": "visit_insn"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@51081a3f25c742da5a659d7fc6fd77ebfdd555be",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-58098-ef9c4f82",
"signature_version": "v1"
}
]