In the Linux kernel, the following vulnerability has been resolved:
bpf: Reject negative offsets for ALU ops
When verifying BPF programs, the check_alu_op() function validates instructions with ALU operations. The offset field in these instructions is a signed 16-bit integer.
The existing check insn->off > 1 was intended to ensure the offset is either 0, or 1 for BPF_MOD/BPF_DIV. However, because insn->off is signed, this check incorrectly accepts all negative values (e.g., -1).
This commit tightens the validation by changing the condition to (insn->off != 0 && insn->off != 1). This ensures that any value other than the explicitly permitted 0 and 1 is rejected, hardening the verifier against malformed BPF programs.