CVE-2025-40169

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Reject negative offsets for ALU ops<br /> <br /> When verifying BPF programs, the check_alu_op() function validates<br /> instructions with ALU operations. The &amp;#39;offset&amp;#39; field in these<br /> instructions is a signed 16-bit integer.<br /> <br /> The existing check &amp;#39;insn-&gt;off &gt; 1&amp;#39; was intended to ensure the offset is<br /> either 0, or 1 for BPF_MOD/BPF_DIV. However, because &amp;#39;insn-&gt;off&amp;#39; is<br /> signed, this check incorrectly accepts all negative values (e.g., -1).<br /> <br /> This commit tightens the validation by changing the condition to<br /> &amp;#39;(insn-&gt;off != 0 &amp;&amp; insn-&gt;off != 1)&amp;#39;. This ensures that any value<br /> other than the explicitly permitted 0 and 1 is rejected, hardening the<br /> verifier against malformed BPF programs.