CVE-2024-50161

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Check the remaining info_cnt before repeating btf fields<br /> <br /> When trying to repeat the btf fields for array of nested struct, it<br /> doesn&amp;#39;t check the remaining info_cnt. The following splat will be<br /> reported when the value of ret * nelems is greater than BTF_FIELDS_MAX:<br /> <br /> ------------[ cut here ]------------<br /> UBSAN: array-index-out-of-bounds in ../kernel/bpf/btf.c:3951:49<br /> index 11 is out of range for type &amp;#39;btf_field_info [11]&amp;#39;<br /> CPU: 6 UID: 0 PID: 411 Comm: test_progs ...... 6.11.0-rc4+ #1<br /> Tainted: [O]=OOT_MODULE<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ...<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x57/0x70<br /> dump_stack+0x10/0x20<br /> ubsan_epilogue+0x9/0x40<br /> __ubsan_handle_out_of_bounds+0x6f/0x80<br /> ? kallsyms_lookup_name+0x48/0xb0<br /> btf_parse_fields+0x992/0xce0<br /> map_create+0x591/0x770<br /> __sys_bpf+0x229/0x2410<br /> __x64_sys_bpf+0x1f/0x30<br /> x64_sys_call+0x199/0x9f0<br /> do_syscall_64+0x3b/0xc0<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> RIP: 0033:0x7fea56f2cc5d<br /> ......<br /> <br /> ---[ end trace ]---<br /> <br /> Fix it by checking the remaining info_cnt in btf_repeat_fields() before<br /> repeating the btf fields.