In the Linux kernel, the following vulnerability has been resolved:
bpf: check changespktdata property for extension programs
When processing calls to global sub-programs, verifier decides whether to invalidate all packet pointers in current state depending on the changespktdata property of the global sub-program.
Because of this, an extension program replacing a global sub-program must be compatible with changespktdata property of the sub-program being replaced.
This commit: - adds changespktdata flag to struct bpfprogaux: - this flag is set in checkcfg() for main sub-program; - in jitsubprogs() for other sub-programs; - modifies bpfcheckattachbtfid() to check changespktdata flag; - moves call to checkattachbtfid() after the call to checkcfg(), because it needs changespktdata flag to be set:
bpf_check:
  ...                             ...
- check_attach_btf_id             resolve_pseudo_ldimm64
  resolve_pseudo_ldimm64   -->    bpf_prog_is_offloaded
  bpf_prog_is_offloaded           check_cfg
  check_cfg                     + check_attach_btf_id
  ...                             ...
The following fields are set by checkattachbtfid(): - env->ops - prog->aux->attachbtftrace - prog->aux->attachfuncname - prog->aux->attachfuncproto - prog->aux->dsttrampoline - prog->aux->mod - prog->aux->saveddstattachtype - prog->aux->saveddstprogtype - prog->expectedattachtype
Neither of these fields are used by resolvepseudoldimm64() or bpfprogoffloadverifierprep() (for netronome and netdevsim drivers), so the reordering is safe.
[
    {
        "id": "CVE-2024-58100-41c76565",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "kernel/bpf/verifier.c",
            "function": "check_cfg"
        },
        "digest": {
            "function_hash": "45248079683813167683402731335303420018",
            "length": 1716.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3846e2bea565ee1c5195dcc625fda9868fb0e3b3"
    },
    {
        "id": "CVE-2024-58100-43387718",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "kernel/bpf/verifier.c"
        },
        "digest": {
            "line_hashes": [
                "35970877762275823247634563093080299915",
                "321250011878695199423743023972984143866",
                "63635655036853331451134063333519121879",
                "179777494650828055263048040156638334399",
                "285216844459133345077523019774730181842",
                "277650605827562036756948829492393980297",
                "143853112599752689093785120137915889638",
                "34295479178391859299387090279360193302",
                "54629837662157944231707046465920815129",
                "216234220496306043183738447302527957434",
                "153626650715511654168291738996583787511",
                "22359791382877838453573097560911981018",
                "181611752421546477690388214070961412658",
                "173135805961278273869526270161191611653",
                "175628496659423013417128615760212386795",
                "300219997863142139051469886691993508019",
                "286977607496440593145568941785803253559",
                "35631201565041747628469519962431540932",
                "316891287721919472649219735558806332830",
                "42829002810728402985247796234478018132",
                "97618688293600528882199532368690664818"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7197fc4acdf238ec8ad06de5a8235df0c1f9c7d7"
    },
    {
        "id": "CVE-2024-58100-47cdcd38",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "kernel/bpf/verifier.c",
            "function": "bpf_check"
        },
        "digest": {
            "function_hash": "168932840598201656654753221222546025521",
            "length": 4836.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7197fc4acdf238ec8ad06de5a8235df0c1f9c7d7"
    },
    {
        "id": "CVE-2024-58100-4bfd4b2e",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "kernel/bpf/verifier.c",
            "function": "check_cfg"
        },
        "digest": {
            "function_hash": "127199084367089093380152276338328940901",
            "length": 1446.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7197fc4acdf238ec8ad06de5a8235df0c1f9c7d7"
    },
    {
        "id": "CVE-2024-58100-4e532d94",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "kernel/bpf/verifier.c",
            "function": "jit_subprogs"
        },
        "digest": {
            "function_hash": "119972775012037364729726692569419230639",
            "length": 6584.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@81f6d0530ba031b5f038a091619bf2ff29568852"
    },
    {
        "id": "CVE-2024-58100-5a155e4f",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "include/linux/bpf.h"
        },
        "digest": {
            "line_hashes": [
                "236047085349228493091020174318073438801",
                "244497304677051448533646891040590649237",
                "269345688339116238162133079683041899729",
                "130280788633256563964102874146540851574"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@81f6d0530ba031b5f038a091619bf2ff29568852"
    },
    {
        "id": "CVE-2024-58100-61e59078",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "kernel/bpf/verifier.c",
            "function": "bpf_check"
        },
        "digest": {
            "function_hash": "332640433257794334518370502031690261",
            "length": 5278.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3846e2bea565ee1c5195dcc625fda9868fb0e3b3"
    },
    {
        "id": "CVE-2024-58100-6832d0b4",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "kernel/bpf/verifier.c",
            "function": "bpf_check_attach_target"
        },
        "digest": {
            "function_hash": "277365086799560356516999051529606533328",
            "length": 5384.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7197fc4acdf238ec8ad06de5a8235df0c1f9c7d7"
    },
    {
        "id": "CVE-2024-58100-6b3fa024",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "kernel/bpf/verifier.c"
        },
        "digest": {
            "line_hashes": [
                "35970877762275823247634563093080299915",
                "321250011878695199423743023972984143866",
                "63635655036853331451134063333519121879",
                "179777494650828055263048040156638334399",
                "160485654134991996091019078155910637701",
                "310324115956895663977077160968988548977",
                "214494118131722898333241832740280064815",
                "8544518923282586530094853782346268451",
                "54629837662157944231707046465920815129",
                "216234220496306043183738447302527957434",
                "153626650715511654168291738996583787511",
                "22359791382877838453573097560911981018",
                "181611752421546477690388214070961412658",
                "173135805961278273869526270161191611653",
                "175628496659423013417128615760212386795",
                "300219997863142139051469886691993508019",
                "286977607496440593145568941785803253559",
                "35631201565041747628469519962431540932",
                "106225529814571089588465243690990541781",
                "294110401003099782249439180609801879880",
                "169754746613672504605400729089813271162"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3846e2bea565ee1c5195dcc625fda9868fb0e3b3"
    },
    {
        "id": "CVE-2024-58100-8f4728d4",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "kernel/bpf/verifier.c"
        },
        "digest": {
            "line_hashes": [
                "35970877762275823247634563093080299915",
                "321250011878695199423743023972984143866",
                "63635655036853331451134063333519121879",
                "179777494650828055263048040156638334399",
                "160485654134991996091019078155910637701",
                "310324115956895663977077160968988548977",
                "214494118131722898333241832740280064815",
                "8544518923282586530094853782346268451",
                "54629837662157944231707046465920815129",
                "216234220496306043183738447302527957434",
                "153626650715511654168291738996583787511",
                "22359791382877838453573097560911981018",
                "181611752421546477690388214070961412658",
                "173135805961278273869526270161191611653",
                "175628496659423013417128615760212386795",
                "300219997863142139051469886691993508019",
                "286977607496440593145568941785803253559",
                "35631201565041747628469519962431540932",
                "106225529814571089588465243690990541781",
                "294110401003099782249439180609801879880",
                "169754746613672504605400729089813271162"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@81f6d0530ba031b5f038a091619bf2ff29568852"
    },
    {
        "id": "CVE-2024-58100-a7011c01",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "include/linux/bpf.h"
        },
        "digest": {
            "line_hashes": [
                "104478269449798564556317037393612832815",
                "102038434344220537938192745428483950271",
                "238951251659077581387561551903842572699",
                "272621567939990454645871832076944578637"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7197fc4acdf238ec8ad06de5a8235df0c1f9c7d7"
    },
    {
        "id": "CVE-2024-58100-a741b488",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "kernel/bpf/verifier.c",
            "function": "bpf_check_attach_target"
        },
        "digest": {
            "function_hash": "325563950865048156121390268218299700112",
            "length": 6262.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3846e2bea565ee1c5195dcc625fda9868fb0e3b3"
    },
    {
        "id": "CVE-2024-58100-b19654ea",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "kernel/bpf/verifier.c",
            "function": "jit_subprogs"
        },
        "digest": {
            "function_hash": "118453115075096908019755065932367140441",
            "length": 6455.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3846e2bea565ee1c5195dcc625fda9868fb0e3b3"
    },
    {
        "id": "CVE-2024-58100-d381e60c",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "kernel/bpf/verifier.c",
            "function": "bpf_check_attach_target"
        },
        "digest": {
            "function_hash": "325563950865048156121390268218299700112",
            "length": 6262.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@81f6d0530ba031b5f038a091619bf2ff29568852"
    },
    {
        "id": "CVE-2024-58100-dc8f95d8",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "kernel/bpf/verifier.c",
            "function": "check_cfg"
        },
        "digest": {
            "function_hash": "45248079683813167683402731335303420018",
            "length": 1716.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@81f6d0530ba031b5f038a091619bf2ff29568852"
    },
    {
        "id": "CVE-2024-58100-f50feae3",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "kernel/bpf/verifier.c",
            "function": "jit_subprogs"
        },
        "digest": {
            "function_hash": "273930947194397579934551655390150225972",
            "length": 5315.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7197fc4acdf238ec8ad06de5a8235df0c1f9c7d7"
    },
    {
        "id": "CVE-2024-58100-f69c4ab5",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "include/linux/bpf.h"
        },
        "digest": {
            "line_hashes": [
                "217234297446525168054228440574315972912",
                "40015323134520679684627680783315654359",
                "272669520972311391395230082744454458131",
                "232577004427639979846806427632612280406"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3846e2bea565ee1c5195dcc625fda9868fb0e3b3"
    },
    {
        "id": "CVE-2024-58100-fbf87cad",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "kernel/bpf/verifier.c",
            "function": "bpf_check"
        },
        "digest": {
            "function_hash": "333782856925335869455888520300981299913",
            "length": 5310.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@81f6d0530ba031b5f038a091619bf2ff29568852"
    }
]