In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix out-of-bounds write in triegetnext_key()
triegetnextkey() allocates a node stack with size trie->maxprefixlen, while it writes (trie->maxprefixlen + 1) nodes to the stack when it has full paths from the root to leaves. For example, consider a trie with maxprefixlen is 8, and the nodes with key 0x00/0, 0x00/1, 0x00/2, ... 0x00/8 inserted. Subsequent calls to triegetnext_key with _key with .prefixlen = 8 make 9 nodes be written on the node stack with size 8.
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@90a6e0e1e151ef7a9282e78f54c3091de2dcc99c",
"id": "CVE-2024-50262-1529a295",
"digest": {
"line_hashes": [
"194008015612975176213187571381252045916",
"83388060907452912926250521421462605025",
"49851018286678210917451816179610167890",
"132236565412088341474598375923311218776"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "kernel/bpf/lpm_trie.c"
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@91afbc0eb3c90258ae378ae3c6ead3d2371e926d",
"id": "CVE-2024-50262-32b6c3eb",
"digest": {
"function_hash": "157602243252729350988370219172129127109",
"length": 1723.0
},
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "trie_get_next_key",
"file": "kernel/bpf/lpm_trie.c"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a035df0b98df424559fd383e8e1a268f422ea2ba",
"id": "CVE-2024-50262-37f23595",
"digest": {
"function_hash": "157602243252729350988370219172129127109",
"length": 1723.0
},
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "trie_get_next_key",
"file": "kernel/bpf/lpm_trie.c"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@590976f921723d53ac199c01d5b7b73a94875e68",
"id": "CVE-2024-50262-4c5e0259",
"digest": {
"function_hash": "157602243252729350988370219172129127109",
"length": 1723.0
},
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "trie_get_next_key",
"file": "kernel/bpf/lpm_trie.c"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@13400ac8fb80c57c2bfb12ebd35ee121ce9b4d21",
"id": "CVE-2024-50262-6e665bc3",
"digest": {
"function_hash": "157602243252729350988370219172129127109",
"length": 1723.0
},
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "trie_get_next_key",
"file": "kernel/bpf/lpm_trie.c"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@86c8ebe02d8806dd8878d0063e8e185622ab6ea6",
"id": "CVE-2024-50262-741c2890",
"digest": {
"line_hashes": [
"194008015612975176213187571381252045916",
"83388060907452912926250521421462605025",
"49851018286678210917451816179610167890",
"132236565412088341474598375923311218776"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "kernel/bpf/lpm_trie.c"
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@90a6e0e1e151ef7a9282e78f54c3091de2dcc99c",
"id": "CVE-2024-50262-745bc936",
"digest": {
"function_hash": "157602243252729350988370219172129127109",
"length": 1723.0
},
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "trie_get_next_key",
"file": "kernel/bpf/lpm_trie.c"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c4b4f9a9ab82238cb158fa4fe61a8c0ae21a4980",
"id": "CVE-2024-50262-824b864f",
"digest": {
"line_hashes": [
"194008015612975176213187571381252045916",
"83388060907452912926250521421462605025",
"49851018286678210917451816179610167890",
"132236565412088341474598375923311218776"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "kernel/bpf/lpm_trie.c"
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c4b4f9a9ab82238cb158fa4fe61a8c0ae21a4980",
"id": "CVE-2024-50262-83c39d8b",
"digest": {
"function_hash": "157602243252729350988370219172129127109",
"length": 1723.0
},
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "trie_get_next_key",
"file": "kernel/bpf/lpm_trie.c"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@13400ac8fb80c57c2bfb12ebd35ee121ce9b4d21",
"id": "CVE-2024-50262-8b8c67ed",
"digest": {
"line_hashes": [
"194008015612975176213187571381252045916",
"83388060907452912926250521421462605025",
"49851018286678210917451816179610167890",
"132236565412088341474598375923311218776"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "kernel/bpf/lpm_trie.c"
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@91afbc0eb3c90258ae378ae3c6ead3d2371e926d",
"id": "CVE-2024-50262-a1a7650c",
"digest": {
"line_hashes": [
"194008015612975176213187571381252045916",
"83388060907452912926250521421462605025",
"49851018286678210917451816179610167890",
"132236565412088341474598375923311218776"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "kernel/bpf/lpm_trie.c"
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e8494ac079814a53fbc2258d2743e720907488ed",
"id": "CVE-2024-50262-b8550b44",
"digest": {
"function_hash": "157602243252729350988370219172129127109",
"length": 1723.0
},
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "trie_get_next_key",
"file": "kernel/bpf/lpm_trie.c"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a035df0b98df424559fd383e8e1a268f422ea2ba",
"id": "CVE-2024-50262-c58a13af",
"digest": {
"line_hashes": [
"194008015612975176213187571381252045916",
"83388060907452912926250521421462605025",
"49851018286678210917451816179610167890",
"132236565412088341474598375923311218776"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "kernel/bpf/lpm_trie.c"
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e8494ac079814a53fbc2258d2743e720907488ed",
"id": "CVE-2024-50262-ce2e3712",
"digest": {
"line_hashes": [
"194008015612975176213187571381252045916",
"83388060907452912926250521421462605025",
"49851018286678210917451816179610167890",
"132236565412088341474598375923311218776"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "kernel/bpf/lpm_trie.c"
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@86c8ebe02d8806dd8878d0063e8e185622ab6ea6",
"id": "CVE-2024-50262-d3ff8385",
"digest": {
"function_hash": "157602243252729350988370219172129127109",
"length": 1723.0
},
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "trie_get_next_key",
"file": "kernel/bpf/lpm_trie.c"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@590976f921723d53ac199c01d5b7b73a94875e68",
"id": "CVE-2024-50262-dff74242",
"digest": {
"line_hashes": [
"194008015612975176213187571381252045916",
"83388060907452912926250521421462605025",
"49851018286678210917451816179610167890",
"132236565412088341474598375923311218776"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "kernel/bpf/lpm_trie.c"
},
"signature_type": "Line"
}
]