CVE-2024-50161

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-50161
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50161.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-50161
Downstream
Related
Published
2024-11-07T09:31:38Z
Modified
2025-10-09T21:23:22.719521Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
bpf: Check the remaining info_cnt before repeating btf fields
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Check the remaining info_cnt before repeating btf fields

When trying to repeat the btf fields for array of nested struct, it doesn't check the remaining infocnt. The following splat will be reported when the value of ret * nelems is greater than BTFFIELDS_MAX:

------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in ../kernel/bpf/btf.c:3951:49 index 11 is out of range for type 'btffieldinfo [11]' CPU: 6 UID: 0 PID: 411 Comm: testprogs ...... 6.11.0-rc4+ #1 Tainted: [O]=OOTMODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ... Call Trace: <TASK> dumpstacklvl+0x57/0x70 dumpstack+0x10/0x20 ubsanepilogue+0x9/0x40 _ubsanhandleoutofbounds+0x6f/0x80 ? kallsymslookupname+0x48/0xb0 btfparsefields+0x992/0xce0 mapcreate+0x591/0x770 _sysbpf+0x229/0x2410 _x64sysbpf+0x1f/0x30 x64syscall+0x199/0x9f0 dosyscall64+0x3b/0xc0 entrySYSCALL64after_hwframe+0x4b/0x53 RIP: 0033:0x7fea56f2cc5d ...... </TASK> ---[ end trace ]---

Fix it by checking the remaining infocnt in btfrepeat_fields() before repeating the btf fields.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
64e8ee814819f21beeeda00d4119221443d77992
Fixed
6f957d972feee9b385ea3ae6530310a84e55ba71
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
64e8ee814819f21beeeda00d4119221443d77992
Fixed
797d73ee232dd1833dec4824bc53a22032e97c1c

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.11.2
v6.11.3
v6.11.4
v6.11.5

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.11.0
Fixed
6.11.6