CVE-2024-42072

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix may_goto with negative offset.<br /> <br /> Zac&amp;#39;s syzbot crafted a bpf prog that exposed two bugs in may_goto.<br /> The 1st bug is the way may_goto is patched. When offset is negative<br /> it should be patched differently.<br /> The 2nd bug is in the verifier:<br /> when current state may_goto_depth is equal to visited state may_goto_depth<br /> it means there is an actual infinite loop. It&amp;#39;s not correct to prune<br /> exploration of the program at this point.<br /> Note, that this check doesn&amp;#39;t limit the program to only one may_goto insn,<br /> since 2nd and any further may_goto will increment may_goto_depth only<br /> in the queued state pushed for future exploration. The current state<br /> will have may_goto_depth == 0 regardless of number of may_goto insns<br /> and the verifier has to explore the program until bpf_exit.