fkie_cve-2024-47794
Vulnerability from fkie_nvd
Published
2025-01-11 13:15
Modified
2025-01-11 13:15
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Prevent tailcall infinite loop caused by freplace
There is a potential infinite loop issue that can occur when using a
combination of tail calls and freplace.
In an upcoming selftest, the attach target for entry_freplace of
tailcall_freplace.c is subprog_tc of tc_bpf2bpf.c, while the tail call in
entry_freplace leads to entry_tc. This results in an infinite loop:
entry_tc -> subprog_tc -> entry_freplace --tailcall-> entry_tc.
The problem arises because the tail_call_cnt in entry_freplace resets to
zero each time entry_freplace is executed, causing the tail call mechanism
to never terminate, eventually leading to a kernel panic.
To fix this issue, the solution is twofold:
1. Prevent updating a program extended by an freplace program to a
prog_array map.
2. Prevent extending a program that is already part of a prog_array map
with an freplace program.
This ensures that:
* If a program or its subprogram has been extended by an freplace program,
it can no longer be updated to a prog_array map.
* If a program has been added to a prog_array map, neither it nor its
subprograms can be extended by an freplace program.
Moreover, an extension program should not be tailcalled. As such, return
-EINVAL if the program has a type of BPF_PROG_TYPE_EXT when adding it to a
prog_array map.
Additionally, fix a minor code style issue by replacing eight spaces with a
tab for proper formatting.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Prevent tailcall infinite loop caused by freplace\n\nThere is a potential infinite loop issue that can occur when using a\ncombination of tail calls and freplace.\n\nIn an upcoming selftest, the attach target for entry_freplace of\ntailcall_freplace.c is subprog_tc of tc_bpf2bpf.c, while the tail call in\nentry_freplace leads to entry_tc. This results in an infinite loop:\n\nentry_tc -\u003e subprog_tc -\u003e entry_freplace --tailcall-\u003e entry_tc.\n\nThe problem arises because the tail_call_cnt in entry_freplace resets to\nzero each time entry_freplace is executed, causing the tail call mechanism\nto never terminate, eventually leading to a kernel panic.\n\nTo fix this issue, the solution is twofold:\n\n1. Prevent updating a program extended by an freplace program to a\n prog_array map.\n2. Prevent extending a program that is already part of a prog_array map\n with an freplace program.\n\nThis ensures that:\n\n* If a program or its subprogram has been extended by an freplace program,\n it can no longer be updated to a prog_array map.\n* If a program has been added to a prog_array map, neither it nor its\n subprograms can be extended by an freplace program.\n\nMoreover, an extension program should not be tailcalled. As such, return\n-EINVAL if the program has a type of BPF_PROG_TYPE_EXT when adding it to a\nprog_array map.\n\nAdditionally, fix a minor code style issue by replacing eight spaces with a\ntab for proper formatting."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Evitar bucle infinito de tailcall causado por freplace Existe un posible problema de bucle infinito que puede ocurrir al usar una combinaci\u00f3n de llamadas de cola y freplace. En una pr\u00f3xima autoprueba, el objetivo de conexi\u00f3n para entry_freplace de tailcall_freplace.c es subprog_tc de tc_bpf2bpf.c, mientras que la llamada de cola en entry_freplace conduce a entry_tc. Esto da como resultado un bucle infinito: entry_tc -\u0026gt; subprog_tc -\u0026gt; entry_freplace --tailcall-\u0026gt; entry_tc. El problema surge porque tail_call_cnt en entry_freplace se restablece a cero cada vez que se ejecuta entry_freplace, lo que hace que el mecanismo de llamada de cola nunca finalice, lo que finalmente conduce a un p\u00e1nico del kernel. Para solucionar este problema, la soluci\u00f3n es doble: 1. Evitar actualizar un programa extendido por un programa freplace a un mapa prog_array. 2. Evite extender un programa que ya es parte de un mapa prog_array con un programa freplace. Esto garantiza que: * Si un programa o su subprograma ha sido extendido por un programa freplace, ya no puede actualizarse a un mapa prog_array. * Si un programa ha sido agregado a un mapa prog_array, ni \u00e9l ni sus subprogramas pueden ser extendidos por un programa freplace. Adem\u00e1s, un programa de extensi\u00f3n no debe ser llamado al final. Como tal, devuelva -EINVAL si el programa tiene un tipo de BPF_PROG_TYPE_EXT al agregarlo a un mapa prog_array. Adem\u00e1s, solucione un problema menor de estilo de c\u00f3digo reemplazando ocho espacios con una tabulaci\u00f3n para un formato adecuado."
}
],
"id": "CVE-2024-47794",
"lastModified": "2025-01-11T13:15:22.390",
"metrics": {},
"published": "2025-01-11T13:15:22.390",
"references": [
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/987aa730bad3e1ef66d9f30182294daa78f6387d"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/d6083f040d5d8f8d748462c77e90547097df936e"
}
],
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"vulnStatus": "Awaiting Analysis"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.