cve/published/2024/CVE-2024-47794.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-47794: bpf: Prevent tailcall infinite loop caused by freplace

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf: Prevent tailcall infinite loop caused by freplace

 There is a potential infinite loop issue that can occur when using a
 combination of tail calls and freplace.

 In an upcoming selftest, the attach target for entry_freplace of
 tailcall_freplace.c is subprog_tc of tc_bpf2bpf.c, while the tail call in
 entry_freplace leads to entry_tc. This results in an infinite loop:

 entry_tc -> subprog_tc -> entry_freplace --tailcall-> entry_tc.

 The problem arises because the tail_call_cnt in entry_freplace resets to
 zero each time entry_freplace is executed, causing the tail call mechanism
 to never terminate, eventually leading to a kernel panic.

 To fix this issue, the solution is twofold:

 1. Prevent updating a program extended by an freplace program to a
    prog_array map.
 2. Prevent extending a program that is already part of a prog_array map
    with an freplace program.

 This ensures that:

 * If a program or its subprogram has been extended by an freplace program,
   it can no longer be updated to a prog_array map.
 * If a program has been added to a prog_array map, neither it nor its
   subprograms can be extended by an freplace program.

 Moreover, an extension program should not be tailcalled. As such, return
 -EINVAL if the program has a type of BPF_PROG_TYPE_EXT when adding it to a
 prog_array map.

 Additionally, fix a minor code style issue by replacing eight spaces with a
 tab for proper formatting.

 The Linux kernel CVE team has assigned CVE-2024-47794 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.12.5 with commit 987aa730bad3e1ef66d9f30182294daa78f6387d
 	Fixed in 6.13 with commit d6083f040d5d8f8d748462c77e90547097df936e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-47794
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	include/linux/bpf.h
 	kernel/bpf/arraymap.c
 	kernel/bpf/core.c
 	kernel/bpf/syscall.c
 	kernel/bpf/trampoline.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/987aa730bad3e1ef66d9f30182294daa78f6387d
 	https://git.kernel.org/stable/c/d6083f040d5d8f8d748462c77e90547097df936e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-47794: bpf: Prevent tailcall infinite loop caused by freplace

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf: Prevent tailcall infinite loop caused by freplace

	There is a potential infinite loop issue that can occur when using a
	combination of tail calls and freplace.

	In an upcoming selftest, the attach target for entry_freplace of
	tailcall_freplace.c is subprog_tc of tc_bpf2bpf.c, while the tail call in
	entry_freplace leads to entry_tc. This results in an infinite loop:

	entry_tc -> subprog_tc -> entry_freplace --tailcall-> entry_tc.

	The problem arises because the tail_call_cnt in entry_freplace resets to
	zero each time entry_freplace is executed, causing the tail call mechanism
	to never terminate, eventually leading to a kernel panic.

	To fix this issue, the solution is twofold:

	1. Prevent updating a program extended by an freplace program to a
	prog_array map.
	2. Prevent extending a program that is already part of a prog_array map
	with an freplace program.

	This ensures that:

	* If a program or its subprogram has been extended by an freplace program,
	it can no longer be updated to a prog_array map.
	* If a program has been added to a prog_array map, neither it nor its
	subprograms can be extended by an freplace program.

	Moreover, an extension program should not be tailcalled. As such, return
	-EINVAL if the program has a type of BPF_PROG_TYPE_EXT when adding it to a
	prog_array map.

	Additionally, fix a minor code style issue by replacing eight spaces with a
	tab for proper formatting.

	The Linux kernel CVE team has assigned CVE-2024-47794 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.12.5 with commit 987aa730bad3e1ef66d9f30182294daa78f6387d
	Fixed in 6.13 with commit d6083f040d5d8f8d748462c77e90547097df936e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-47794
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	include/linux/bpf.h
	kernel/bpf/arraymap.c
	kernel/bpf/core.c
	kernel/bpf/syscall.c
	kernel/bpf/trampoline.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/987aa730bad3e1ef66d9f30182294daa78f6387d
	https://git.kernel.org/stable/c/d6083f040d5d8f8d748462c77e90547097df936e