CVE-2024-47794
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-47794
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-47794.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-47794
- Downstream
- Related
- Published
- 2025-01-11T13:15:22Z
- Modified
- 2025-08-09T20:01:26Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bpf: Prevent tailcall infinite loop caused by freplace
There is a potential infinite loop issue that can occur when using a combination of tail calls and freplace.
In an upcoming selftest, the attach target for entryfreplace of tailcallfreplace.c is subprogtc of tcbpf2bpf.c, while the tail call in entryfreplace leads to entrytc. This results in an infinite loop:
entrytc -> subprogtc -> entryfreplace --tailcall-> entrytc.
The problem arises because the tailcallcnt in entryfreplace resets to zero each time entryfreplace is executed, causing the tail call mechanism to never terminate, eventually leading to a kernel panic.
To fix this issue, the solution is twofold:
- Prevent updating a program extended by an freplace program to a prog_array map.
- Prevent extending a program that is already part of a prog_array map with an freplace program.
This ensures that:
- If a program or its subprogram has been extended by an freplace program, it can no longer be updated to a prog_array map.
- If a program has been added to a prog_array map, neither it nor its subprograms can be extended by an freplace program.
Moreover, an extension program should not be tailcalled. As such, return -EINVAL if the program has a type of BPFPROGTYPEEXT when adding it to a progarray map.
Additionally, fix a minor code style issue by replacing eight spaces with a tab for proper formatting.
- References