CVE-2024-50063

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Prevent tail call between progs attached to different hooks<br /> <br /> bpf progs can be attached to kernel functions, and the attached functions<br /> can take different parameters or return different return values. If<br /> prog attached to one kernel function tail calls prog attached to another<br /> kernel function, the ctx access or return value verification could be<br /> bypassed.<br /> <br /> For example, if prog1 is attached to func1 which takes only 1 parameter<br /> and prog2 is attached to func2 which takes two parameters. Since verifier<br /> assumes the bpf ctx passed to prog2 is constructed based on func2&amp;#39;s<br /> prototype, verifier allows prog2 to access the second parameter from<br /> the bpf ctx passed to it. The problem is that verifier does not prevent<br /> prog1 from passing its bpf ctx to prog2 via tail call. In this case,<br /> the bpf ctx passed to prog2 is constructed from func1 instead of func2,<br /> that is, the assumption for ctx access verification is bypassed.<br /> <br /> Another example, if BPF LSM prog1 is attached to hook file_alloc_security,<br /> and BPF LSM prog2 is attached to hook bpf_lsm_audit_rule_known. Verifier<br /> knows the return value rules for these two hooks, e.g. it is legal for<br /> bpf_lsm_audit_rule_known to return positive number 1, and it is illegal<br /> for file_alloc_security to return positive number. So verifier allows<br /> prog2 to return positive number 1, but does not allow prog1 to return<br /> positive number. The problem is that verifier does not prevent prog1<br /> from calling prog2 via tail call. In this case, prog2&amp;#39;s return value 1<br /> will be used as the return value for prog1&amp;#39;s hook file_alloc_security.<br /> That is, the return value rule is bypassed.<br /> <br /> This patch adds restriction for tail call to prevent such bypasses.