CVE-2024-35894

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: prevent BPF accessing lowat from a subflow socket.<br /> <br /> Alexei reported the following splat:<br /> <br /> WARNING: CPU: 32 PID: 3276 at net/mptcp/subflow.c:1430 subflow_data_ready+0x147/0x1c0<br /> Modules linked in: dummy bpf_testmod(O) [last unloaded: bpf_test_no_cfi(O)]<br /> CPU: 32 PID: 3276 Comm: test_progs Tainted: GO 6.8.0-12873-g2c43c33bfd23<br /> Call Trace:<br /> <br /> mptcp_set_rcvlowat+0x79/0x1d0<br /> sk_setsockopt+0x6c0/0x1540<br /> __bpf_setsockopt+0x6f/0x90<br /> bpf_sock_ops_setsockopt+0x3c/0x90<br /> bpf_prog_509ce5db2c7f9981_bpf_test_sockopt_int+0xb4/0x11b<br /> bpf_prog_dce07e362d941d2b_bpf_test_socket_sockopt+0x12b/0x132<br /> bpf_prog_348c9b5faaf10092_skops_sockopt+0x954/0xe86<br /> __cgroup_bpf_run_filter_sock_ops+0xbc/0x250<br /> tcp_connect+0x879/0x1160<br /> tcp_v6_connect+0x50c/0x870<br /> mptcp_connect+0x129/0x280<br /> __inet_stream_connect+0xce/0x370<br /> inet_stream_connect+0x36/0x50<br /> bpf_trampoline_6442491565+0x49/0xef<br /> inet_stream_connect+0x5/0x50<br /> __sys_connect+0x63/0x90<br /> __x64_sys_connect+0x14/0x20<br /> <br /> The root cause of the issue is that bpf allows accessing mptcp-level<br /> proto_ops from a tcp subflow scope.<br /> <br /> Fix the issue detecting the problematic call and preventing any action.