CVE-2024-36937

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xdp: use flags field to disambiguate broadcast redirect<br /> <br /> When redirecting a packet using XDP, the bpf_redirect_map() helper will set<br /> up the redirect destination information in struct bpf_redirect_info (using<br /> the __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect()<br /> function will read this information after the XDP program returns and pass<br /> the frame on to the right redirect destination.<br /> <br /> When using the BPF_F_BROADCAST flag to do multicast redirect to a whole<br /> map, __bpf_xdp_redirect_map() sets the &amp;#39;map&amp;#39; pointer in struct<br /> bpf_redirect_info to point to the destination map to be broadcast. And<br /> xdp_do_redirect() reacts to the value of this map pointer to decide whether<br /> it&amp;#39;s dealing with a broadcast or a single-value redirect. However, if the<br /> destination map is being destroyed before xdp_do_redirect() is called, the<br /> map pointer will be cleared out (by bpf_clear_redirect_map()) without<br /> waiting for any XDP programs to stop running. This causes xdp_do_redirect()<br /> to think that the redirect was to a single target, but the target pointer<br /> is also NULL (since broadcast redirects don&amp;#39;t have a single target), so<br /> this causes a crash when a NULL pointer is passed to dev_map_enqueue().<br /> <br /> To fix this, change xdp_do_redirect() to react directly to the presence of<br /> the BPF_F_BROADCAST flag in the &amp;#39;flags&amp;#39; value in struct bpf_redirect_info<br /> to disambiguate between a single-target and a broadcast redirect. And only<br /> read the &amp;#39;map&amp;#39; pointer if the broadcast flag is set, aborting if that has<br /> been cleared out in the meantime. This prevents the crash, while keeping<br /> the atomic (cmpxchg-based) clearing of the map pointer itself, and without<br /> adding any more checks in the non-broadcast fast path.