CVE-2024-58100

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: check changes_pkt_data property for extension programs<br /> <br /> When processing calls to global sub-programs, verifier decides whether<br /> to invalidate all packet pointers in current state depending on the<br /> changes_pkt_data property of the global sub-program.<br /> <br /> Because of this, an extension program replacing a global sub-program<br /> must be compatible with changes_pkt_data property of the sub-program<br /> being replaced.<br /> <br /> This commit:<br /> - adds changes_pkt_data flag to struct bpf_prog_aux:<br /> - this flag is set in check_cfg() for main sub-program;<br /> - in jit_subprogs() for other sub-programs;<br /> - modifies bpf_check_attach_btf_id() to check changes_pkt_data flag;<br /> - moves call to check_attach_btf_id() after the call to check_cfg(),<br /> because it needs changes_pkt_data flag to be set:<br /> <br /> bpf_check:<br /> ... ...<br /> - check_attach_btf_id resolve_pseudo_ldimm64<br /> resolve_pseudo_ldimm64 --&gt; bpf_prog_is_offloaded<br /> bpf_prog_is_offloaded check_cfg<br /> check_cfg + check_attach_btf_id<br /> ... ...<br /> <br /> The following fields are set by check_attach_btf_id():<br /> - env-&gt;ops<br /> - prog-&gt;aux-&gt;attach_btf_trace<br /> - prog-&gt;aux-&gt;attach_func_name<br /> - prog-&gt;aux-&gt;attach_func_proto<br /> - prog-&gt;aux-&gt;dst_trampoline<br /> - prog-&gt;aux-&gt;mod<br /> - prog-&gt;aux-&gt;saved_dst_attach_type<br /> - prog-&gt;aux-&gt;saved_dst_prog_type<br /> - prog-&gt;expected_attach_type<br /> <br /> Neither of these fields are used by resolve_pseudo_ldimm64() or<br /> bpf_prog_offload_verifier_prep() (for netronome and netdevsim<br /> drivers), so the reordering is safe.