CVE-2024-58237

In the Linux kernel, the following vulnerability has been resolved:

bpf: consider that tail calls invalidate packet pointers

Tail-called programs could execute any of the helpers that invalidate packet pointers. Hence, conservatively assume that each tail call invalidates packet pointers.

Making the change in bpf_helper_changes_pkt_data() automatically makes use of check_cfg() logic that computes changes_pkt_data effect for global sub-programs, such that the following program could be rejected:

int tail_call(struct __sk_buff *sk)
{
	bpf_tail_call_static(sk, &jmp_table, 0);
	return 0;
}

SEC(tc)
int not_safe(struct __sk_buff *sk)
{
	int *p = (void *)(long)sk->data;
	... make p valid ...
	tail_call(sk);
	*p = 42; /* this is unsafe */
	...
}

The tc_bpf2bpf.c:subprog_tc() needs change: mark it as a function that can invalidate packet pointers. Otherwise, it cant be freplaced with tailcall_freplace.c:entry_freplace() that does a tail call.

Affected Software

Name	Vendor	Start Version	End Version
Linux-allwinner-5.19	Ubuntu	jammy	*
Linux-allwinner-5.19	Ubuntu	upstream	*
Linux-aws-5.0	Ubuntu	esm-infra/bionic	*
Linux-aws-5.0	Ubuntu	upstream	*
Linux-aws-5.11	Ubuntu	focal	*
Linux-aws-5.11	Ubuntu	upstream	*
Linux-aws-5.13	Ubuntu	focal	*
Linux-aws-5.13	Ubuntu	upstream	*
Linux-aws-5.19	Ubuntu	jammy	*
Linux-aws-5.19	Ubuntu	upstream	*
Linux-aws-5.3	Ubuntu	esm-infra/bionic	*
Linux-aws-5.3	Ubuntu	upstream	*
Linux-aws-5.8	Ubuntu	focal	*
Linux-aws-5.8	Ubuntu	upstream	*
Linux-aws-6.2	Ubuntu	jammy	*
Linux-aws-6.2	Ubuntu	upstream	*
Linux-aws-6.5	Ubuntu	jammy	*
Linux-aws-6.5	Ubuntu	upstream	*
Linux-azure	Ubuntu	esm-infra/bionic	*
Linux-azure-5.11	Ubuntu	focal	*
Linux-azure-5.11	Ubuntu	upstream	*
Linux-azure-5.13	Ubuntu	focal	*
Linux-azure-5.13	Ubuntu	upstream	*
Linux-azure-5.19	Ubuntu	jammy	*
Linux-azure-5.19	Ubuntu	upstream	*
Linux-azure-5.3	Ubuntu	esm-infra/bionic	*
Linux-azure-5.3	Ubuntu	upstream	*
Linux-azure-5.8	Ubuntu	focal	*
Linux-azure-5.8	Ubuntu	upstream	*
Linux-azure-6.2	Ubuntu	jammy	*
Linux-azure-6.2	Ubuntu	upstream	*
Linux-azure-6.5	Ubuntu	jammy	*
Linux-azure-6.5	Ubuntu	upstream	*
Linux-azure-edge	Ubuntu	esm-infra/bionic	*
Linux-azure-edge	Ubuntu	upstream	*
Linux-azure-fde	Ubuntu	focal	*
Linux-azure-fde-5.19	Ubuntu	jammy	*
Linux-azure-fde-5.19	Ubuntu	upstream	*
Linux-azure-fde-6.2	Ubuntu	jammy	*
Linux-azure-fde-6.2	Ubuntu	upstream	*
Linux-gcp	Ubuntu	esm-infra/bionic	*
Linux-gcp-5.11	Ubuntu	focal	*
Linux-gcp-5.11	Ubuntu	upstream	*
Linux-gcp-5.13	Ubuntu	focal	*
Linux-gcp-5.13	Ubuntu	upstream	*
Linux-gcp-5.19	Ubuntu	jammy	*
Linux-gcp-5.19	Ubuntu	upstream	*
Linux-gcp-5.3	Ubuntu	esm-infra/bionic	*
Linux-gcp-5.3	Ubuntu	upstream	*
Linux-gcp-5.8	Ubuntu	focal	*
Linux-gcp-5.8	Ubuntu	upstream	*
Linux-gcp-6.2	Ubuntu	jammy	*
Linux-gcp-6.2	Ubuntu	upstream	*
Linux-gcp-6.5	Ubuntu	jammy	*
Linux-gcp-6.5	Ubuntu	upstream	*
Linux-gke	Ubuntu	focal	*
Linux-gke-4.15	Ubuntu	esm-infra/bionic	*
Linux-gke-4.15	Ubuntu	upstream	*
Linux-gke-5.15	Ubuntu	focal	*
Linux-gke-5.15	Ubuntu	upstream	*
Linux-gke-5.4	Ubuntu	esm-infra/bionic	*
Linux-gke-5.4	Ubuntu	upstream	*
Linux-gkeop	Ubuntu	focal	*
Linux-gkeop-5.15	Ubuntu	focal	*
Linux-gkeop-5.4	Ubuntu	esm-infra/bionic	*
Linux-gkeop-5.4	Ubuntu	upstream	*
Linux-hwe	Ubuntu	esm-infra/bionic	*
Linux-hwe-5.11	Ubuntu	focal	*
Linux-hwe-5.11	Ubuntu	upstream	*
Linux-hwe-5.13	Ubuntu	focal	*
Linux-hwe-5.13	Ubuntu	upstream	*
Linux-hwe-5.19	Ubuntu	jammy	*
Linux-hwe-5.19	Ubuntu	upstream	*
Linux-hwe-5.8	Ubuntu	focal	*
Linux-hwe-5.8	Ubuntu	upstream	*
Linux-hwe-6.2	Ubuntu	jammy	*
Linux-hwe-6.2	Ubuntu	upstream	*
Linux-hwe-6.5	Ubuntu	jammy	*
Linux-hwe-6.5	Ubuntu	upstream	*
Linux-hwe-edge	Ubuntu	esm-infra/bionic	*
Linux-hwe-edge	Ubuntu	esm-infra/xenial	*
Linux-hwe-edge	Ubuntu	upstream	*
Linux-intel-5.13	Ubuntu	focal	*
Linux-intel-5.13	Ubuntu	upstream	*
Linux-lowlatency-hwe-5.19	Ubuntu	jammy	*
Linux-lowlatency-hwe-5.19	Ubuntu	upstream	*
Linux-lowlatency-hwe-6.2	Ubuntu	jammy	*
Linux-lowlatency-hwe-6.2	Ubuntu	upstream	*
Linux-lowlatency-hwe-6.5	Ubuntu	jammy	*
Linux-lowlatency-hwe-6.5	Ubuntu	upstream	*
Linux-nvidia-6.2	Ubuntu	jammy	*
Linux-nvidia-6.2	Ubuntu	upstream	*
Linux-nvidia-6.5	Ubuntu	jammy	*
Linux-nvidia-6.5	Ubuntu	upstream	*
Linux-oem	Ubuntu	esm-infra/bionic	*
Linux-oem	Ubuntu	upstream	*
Linux-oem-5.10	Ubuntu	focal	*
Linux-oem-5.10	Ubuntu	upstream	*
Linux-oem-5.13	Ubuntu	focal	*
Linux-oem-5.13	Ubuntu	upstream	*
Linux-oem-5.14	Ubuntu	focal	*
Linux-oem-5.14	Ubuntu	upstream	*
Linux-oem-5.17	Ubuntu	jammy	*
Linux-oem-5.17	Ubuntu	upstream	*
Linux-oem-5.6	Ubuntu	focal	*
Linux-oem-5.6	Ubuntu	upstream	*
Linux-oem-6.0	Ubuntu	jammy	*
Linux-oem-6.0	Ubuntu	upstream	*
Linux-oem-6.1	Ubuntu	jammy	*
Linux-oem-6.1	Ubuntu	upstream	*
Linux-oem-6.5	Ubuntu	jammy	*
Linux-oem-6.5	Ubuntu	upstream	*
Linux-oracle-5.0	Ubuntu	esm-infra/bionic	*
Linux-oracle-5.0	Ubuntu	upstream	*
Linux-oracle-5.11	Ubuntu	focal	*
Linux-oracle-5.11	Ubuntu	upstream	*
Linux-oracle-5.13	Ubuntu	focal	*
Linux-oracle-5.13	Ubuntu	upstream	*
Linux-oracle-5.3	Ubuntu	esm-infra/bionic	*
Linux-oracle-5.3	Ubuntu	upstream	*
Linux-oracle-5.8	Ubuntu	focal	*
Linux-oracle-5.8	Ubuntu	upstream	*
Linux-oracle-6.5	Ubuntu	jammy	*
Linux-oracle-6.5	Ubuntu	upstream	*
Linux-raspi2	Ubuntu	focal	*
Linux-raspi2	Ubuntu	upstream	*
Linux-realtime	Ubuntu	jammy	*
Linux-realtime	Ubuntu	noble	*
Linux-riscv	Ubuntu	focal	*
Linux-riscv	Ubuntu	jammy	*
Linux-riscv-5.11	Ubuntu	focal	*
Linux-riscv-5.11	Ubuntu	upstream	*
Linux-riscv-5.19	Ubuntu	jammy	*
Linux-riscv-5.19	Ubuntu	upstream	*
Linux-riscv-5.8	Ubuntu	focal	*
Linux-riscv-5.8	Ubuntu	upstream	*
Linux-riscv-6.5	Ubuntu	jammy	*
Linux-riscv-6.5	Ubuntu	upstream	*
Linux-starfive-5.19	Ubuntu	jammy	*
Linux-starfive-5.19	Ubuntu	upstream	*
Linux-starfive-6.2	Ubuntu	jammy	*
Linux-starfive-6.2	Ubuntu	upstream	*
Linux-starfive-6.5	Ubuntu	jammy	*
Linux-starfive-6.5	Ubuntu	upstream	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2024-58237
CWE	https://cwe.mitre.org/data/definitions/.html

Affected Software

References