CVE-2024-50162
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-50162
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50162.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-50162
- Downstream
- Related
- Published
- 2024-11-07T09:31:39Z
- Modified
- 2025-10-15T04:15:58.312117Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- bpf: devmap: provide rxq after redirect
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bpf: devmap: provide rxq after redirect
rxq contains a pointer to the device from where the redirect happened. Currently, the BPF program that was executed after a redirect via BPFMAPTYPE_DEVMAP* does not have it set.
This is particularly bad since accessing ingress_ifindex, e.g.
SEC("xdp") int prog(struct xdpmd *pkt) { return bpfredirectmap(&devredirect_map, 0, 0); }
SEC("xdp/devmap") int progafterredirect(struct xdpmd *pkt) { bpfprintk("ifindex %i", pkt->ingressifindex); return XDPPASS; }
depends on access to rxq, so a NULL pointer gets dereferenced:
<1>[ 574.475170] BUG: kernel NULL pointer dereference, address: 0000000000000000 <1>[ 574.475188] #PF: supervisor read access in kernel mode <1>[ 574.475194] #PF: errorcode(0x0000) - not-present page <6>[ 574.475199] PGD 0 P4D 0 <4>[ 574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI <4>[ 574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 Not tainted 6.11.0-rc5-reduced-00859-g780801200300 #23 <4>[ 574.475226] Hardware name: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 03/14/2023 <4>[ 574.475231] Workqueue: mld mldifcwork <4>[ 574.475247] RIP: 0010:bpfprog5e13354d9cf5018aprogafterredirect+0x17/0x3c <4>[ 574.475257] Code: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 <48> 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b <4>[ 574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206 <4>[ 574.475269] RAX: ffffa62440280cd8 RBX: 0000000000000001 RCX: 0000000000000000 <4>[ 574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0 <4>[ 574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001 <4>[ 574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000 <4>[ 574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000 <4>[ 574.475289] FS: 0000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000 <4>[ 574.475294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 <4>[ 574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0 <4>[ 574.475303] PKRU: 55555554 <4>[ 574.475306] Call Trace: <4>[ 574.475313] <IRQ> <4>[ 574.475318] ? _die+0x23/0x70 <4>[ 574.475329] ? pagefaultoops+0x180/0x4c0 <4>[ 574.475339] ? skbppcowdata+0x34c/0x490 <4>[ 574.475346] ? kmemcachefree+0x257/0x280 <4>[ 574.475357] ? excpagefault+0x67/0x150 <4>[ 574.475368] ? asmexcpagefault+0x26/0x30 <4>[ 574.475381] ? bpfprog5e13354d9cf5018aprogafterredirect+0x17/0x3c <4>[ 574.475386] bqxmitall+0x158/0x420 <4>[ 574.475397] _devflush+0x30/0x90 <4>[ 574.475407] vethpoll+0x216/0x250 [veth] <4>[ 574.475421] _napipoll+0x28/0x1c0 <4>[ 574.475430] netrxaction+0x32d/0x3a0 <4>[ 574.475441] handlesoftirqs+0xcb/0x2c0 <4>[ 574.475451] dosoftirq+0x40/0x60 <4>[ 574.475458] </IRQ> <4>[ 574.475461] <TASK> <4>[ 574.475464] _localbhenableip+0x66/0x70 <4>[ 574.475471] _devqueuexmit+0x268/0xe40 <4>[ 574.475480] ? selinuxippostroute+0x213/0x420 <4>[ 574.475491] ? allocskbwithfrags+0x4a/0x1d0 <4>[ 574.475502] ip6finishoutput2+0x2be/0x640 <4>[ 574.475512] ? nfhookslow+0x42/0xf0 <4>[ 574.475521] ip6finishoutput+0x194/0x300 <4>[ 574.475529] ? _pfxip6finishoutput+0x10/0x10 <4>[ 574.475538] mldsendpack+0x17c/0x240 <4>[ 574.475548] mldifcwork+0x192/0x410 <4>[ 574.475557] processonework+0x15d/0x380 <4>[ 574.475566] workerthread+0x29d/0x3a0 <4>[ 574.475573] ? _pfxworkerthread+0x10/0x10 <4>[ 574.475580] ? _pfxworkerthread+0x10/0x10 <4>[ 574.475587] kthread+0xcd/0x100 <4>[ 574.475597] ? _pfxkthread+0x10/0x10 <4>[ 574.475606] retfromfork+0x31/0x50 <4>[ 574.475615] ? _pfxkthread+0x10/0x10 <4>[ 574.475623] retfromforkasm+0x1a/0x ---truncated---
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/49454f09936a9a96edfb047156889879cb4001eb
- https://git.kernel.org/stable/c/9167d1c274a336e4763eeb3f3f9cb763c55df5aa
- https://git.kernel.org/stable/c/a778fbe087c19f4ece5f5fc14173328f070c3803
- https://git.kernel.org/stable/c/ca9984c5f0ab3690d98b13937b2485a978c8dd73
- https://git.kernel.org/stable/c/fe068afb868660fe683a8391c6c17ecbe2254922
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedcb261b594b4108668e00f565184c7c221efe0359Fixedfe068afb868660fe683a8391c6c17ecbe2254922
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedcb261b594b4108668e00f565184c7c221efe0359Fixeda778fbe087c19f4ece5f5fc14173328f070c3803
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedcb261b594b4108668e00f565184c7c221efe0359Fixed49454f09936a9a96edfb047156889879cb4001eb
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedcb261b594b4108668e00f565184c7c221efe0359Fixed9167d1c274a336e4763eeb3f3f9cb763c55df5aa
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedcb261b594b4108668e00f565184c7c221efe0359Fixedca9984c5f0ab3690d98b13937b2485a978c8dd73
Affected versions
v5.*
v6.*
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"id": "CVE-2024-50162-0d5b89f8",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ca9984c5f0ab3690d98b13937b2485a978c8dd73",
"signature_version": "v1",
"target": {
"function": "dev_map_bpf_prog_run",
"file": "kernel/bpf/devmap.c"
},
"digest": {
"function_hash": "38343854348520546534353418401427291382",
"length": 673.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2024-50162-17b01995",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a778fbe087c19f4ece5f5fc14173328f070c3803",
"signature_version": "v1",
"target": {
"function": "bq_xmit_all",
"file": "kernel/bpf/devmap.c"
},
"digest": {
"function_hash": "211384730263335181792089924972498897395",
"length": 719.0
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2024-50162-56a1637b",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@49454f09936a9a96edfb047156889879cb4001eb",
"signature_version": "v1",
"target": {
"file": "kernel/bpf/devmap.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"28638604596770098589420791053264704973",
"167449477756113537004998860038095635461",
"201748864156211002639030737612688875917",
"94493477315825691518135331578069114496",
"115171109050493069747553270076357606416",
"111723684994885041148928069718998250647",
"176353585249001854279264170339210191454",
"124946104836484078416162540828022975182",
"157961928221834998780586785799857820607",
"166749244800662279503190437831424507910",
"208247173928287194569828601549954103459",
"43449485154168429238601159690437171858",
"280398977497132230888519441632634359509",
"64020230868017897052312063496047172404",
"173907415234291040170974705662787514496",
"216061321219488903533038726007240151145",
"180411669545443389449996200117165409237",
"41682696813366589121187429238691568586"
]
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2024-50162-6172a8bd",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ca9984c5f0ab3690d98b13937b2485a978c8dd73",
"signature_version": "v1",
"target": {
"file": "kernel/bpf/devmap.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"28638604596770098589420791053264704973",
"167449477756113537004998860038095635461",
"201748864156211002639030737612688875917",
"94493477315825691518135331578069114496",
"115171109050493069747553270076357606416",
"111723684994885041148928069718998250647",
"176353585249001854279264170339210191454",
"124946104836484078416162540828022975182",
"157961928221834998780586785799857820607",
"166749244800662279503190437831424507910",
"208247173928287194569828601549954103459",
"43449485154168429238601159690437171858",
"280398977497132230888519441632634359509",
"64020230868017897052312063496047172404",
"173907415234291040170974705662787514496",
"216061321219488903533038726007240151145",
"180411669545443389449996200117165409237",
"41682696813366589121187429238691568586"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2024-50162-800a1db7",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@49454f09936a9a96edfb047156889879cb4001eb",
"signature_version": "v1",
"target": {
"function": "bq_xmit_all",
"file": "kernel/bpf/devmap.c"
},
"digest": {
"function_hash": "211384730263335181792089924972498897395",
"length": 719.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2024-50162-9e62e7b9",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a778fbe087c19f4ece5f5fc14173328f070c3803",
"signature_version": "v1",
"target": {
"function": "dev_map_bpf_prog_run",
"file": "kernel/bpf/devmap.c"
},
"digest": {
"function_hash": "38343854348520546534353418401427291382",
"length": 673.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2024-50162-b0d86785",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9167d1c274a336e4763eeb3f3f9cb763c55df5aa",
"signature_version": "v1",
"target": {
"function": "bq_xmit_all",
"file": "kernel/bpf/devmap.c"
},
"digest": {
"function_hash": "211384730263335181792089924972498897395",
"length": 719.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2024-50162-f1442156",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ca9984c5f0ab3690d98b13937b2485a978c8dd73",
"signature_version": "v1",
"target": {
"function": "bq_xmit_all",
"file": "kernel/bpf/devmap.c"
},
"digest": {
"function_hash": "211384730263335181792089924972498897395",
"length": 719.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2024-50162-f4cd6f64",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9167d1c274a336e4763eeb3f3f9cb763c55df5aa",
"signature_version": "v1",
"target": {
"function": "dev_map_bpf_prog_run",
"file": "kernel/bpf/devmap.c"
},
"digest": {
"function_hash": "38343854348520546534353418401427291382",
"length": 673.0
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2024-50162-f896b761",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9167d1c274a336e4763eeb3f3f9cb763c55df5aa",
"signature_version": "v1",
"target": {
"file": "kernel/bpf/devmap.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"28638604596770098589420791053264704973",
"167449477756113537004998860038095635461",
"201748864156211002639030737612688875917",
"94493477315825691518135331578069114496",
"115171109050493069747553270076357606416",
"111723684994885041148928069718998250647",
"176353585249001854279264170339210191454",
"124946104836484078416162540828022975182",
"157961928221834998780586785799857820607",
"166749244800662279503190437831424507910",
"208247173928287194569828601549954103459",
"43449485154168429238601159690437171858",
"280398977497132230888519441632634359509",
"64020230868017897052312063496047172404",
"173907415234291040170974705662787514496",
"216061321219488903533038726007240151145",
"180411669545443389449996200117165409237",
"41682696813366589121187429238691568586"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2024-50162-fa49b69d",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@49454f09936a9a96edfb047156889879cb4001eb",
"signature_version": "v1",
"target": {
"function": "dev_map_bpf_prog_run",
"file": "kernel/bpf/devmap.c"
},
"digest": {
"function_hash": "38343854348520546534353418401427291382",
"length": 673.0
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2024-50162-fb90429c",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a778fbe087c19f4ece5f5fc14173328f070c3803",
"signature_version": "v1",
"target": {
"file": "kernel/bpf/devmap.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"28638604596770098589420791053264704973",
"167449477756113537004998860038095635461",
"201748864156211002639030737612688875917",
"94493477315825691518135331578069114496",
"115171109050493069747553270076357606416",
"111723684994885041148928069718998250647",
"176353585249001854279264170339210191454",
"124946104836484078416162540828022975182",
"157961928221834998780586785799857820607",
"166749244800662279503190437831424507910",
"208247173928287194569828601549954103459",
"43449485154168429238601159690437171858",
"280398977497132230888519441632634359509",
"64020230868017897052312063496047172404",
"173907415234291040170974705662787514496",
"216061321219488903533038726007240151145",
"180411669545443389449996200117165409237",
"41682696813366589121187429238691568586"
]
},
"deprecated": false
}
]