CVE-2024-58100

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-58100
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-58100.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-58100
Downstream
Related
Published
2025-05-05T15:15:53Z
Modified
2025-08-09T20:01:25Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: check changespktdata property for extension programs

When processing calls to global sub-programs, verifier decides whether to invalidate all packet pointers in current state depending on the changespktdata property of the global sub-program.

Because of this, an extension program replacing a global sub-program must be compatible with changespktdata property of the sub-program being replaced.

This commit: - adds changespktdata flag to struct bpfprogaux: - this flag is set in checkcfg() for main sub-program; - in jitsubprogs() for other sub-programs; - modifies bpfcheckattachbtfid() to check changespktdata flag; - moves call to checkattachbtfid() after the call to checkcfg(), because it needs changespktdata flag to be set:

bpf_check:
  ...                             ...
- check_attach_btf_id             resolve_pseudo_ldimm64
  resolve_pseudo_ldimm64   -->    bpf_prog_is_offloaded
  bpf_prog_is_offloaded           check_cfg
  check_cfg                     + check_attach_btf_id
  ...                             ...

The following fields are set by checkattachbtfid(): - env->ops - prog->aux->attachbtftrace - prog->aux->attachfuncname - prog->aux->attachfuncproto - prog->aux->dsttrampoline - prog->aux->mod - prog->aux->saveddstattachtype - prog->aux->saveddstprogtype - prog->expectedattachtype

Neither of these fields are used by resolvepseudoldimm64() or bpfprogoffloadverifierprep() (for netronome and netdevsim drivers), so the reordering is safe.

References

Affected packages