CVE-2024-58098
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-58098
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-58098.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-58098
- Downstream
- Related
- Published
- 2025-05-05T14:53:32Z
- Modified
- 2025-10-10T05:45:49.161241Z
- Summary
- bpf: track changes_pkt_data property for global functions
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bpf: track changespktdata property for global functions
When processing calls to certain helpers, verifier invalidates all packet pointers in a current state. For example, consider the following program:
__attribute__((__noinline__)) long skb_pull_data(struct __sk_buff *sk, __u32 len) { return bpf_skb_pull_data(sk, len); } SEC("tc") int test_invalidate_checks(struct __sk_buff *sk) { int *p = (void *)(long)sk->data; if ((void *)(p + 1) > (void *)(long)sk->data_end) return TCX_DROP; skb_pull_data(sk, 0); *p = 42; return TCX_PASS; }After a call to bpfskbpulldata() the pointer 'p' can't be used safely. See function filter.c:bpfhelperchangespkt_data() for a list of such helpers.
At the moment verifier invalidates packet pointers when processing helper function calls, and does not traverse global sub-programs when processing calls to global sub-programs. This means that calls to helpers done from global sub-programs do not invalidate pointers in the caller state. E.g. the program above is unsafe, but is not rejected by verifier.
This commit fixes the omission by computing field bpfsubproginfo->changespktdata for each sub-program before main verification pass. changespktdata should be set if: - subprogram calls helper for which bpfhelperchangespktdata returns true; - subprogram calls a global function, for which bpfsubproginfo->changespktdata should be set.
The verifier.c:checkcfg() pass is modified to compute this information. The commit relies on depth first instruction traversal done by checkcfg() and absence of recursive function calls: - checkcfg() would eventually visit every call to subprogram S in a state when S is fully explored; - when S is fully explored: - every direct helper call within S is explored (and thus changespktdata is set if needed); - every call to subprogram S1 called by S was visited with S1 fully explored (and thus S inherits changespkt_data from S1).
The downside of such approach is that dead code elimination is not taken into account: if a helper call inside global function is dead because of current configuration, verifier would conservatively assume that the call occurs for the purpose of the changespktdata computation.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced51c39bb1d5d105a02e29aa7960f0a395086e6342Fixed79751e9227a5910c0e5a2c7186877d91821d957d
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced51c39bb1d5d105a02e29aa7960f0a395086e6342Fixed1d572c60488b52882b719ed273767ee3b280413d
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced51c39bb1d5d105a02e29aa7960f0a395086e6342Fixed51081a3f25c742da5a659d7fc6fd77ebfdd555be