CVE-2024-58237

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: consider that tail calls invalidate packet pointers<br /> <br /> Tail-called programs could execute any of the helpers that invalidate<br /> packet pointers. Hence, conservatively assume that each tail call<br /> invalidates packet pointers.<br /> <br /> Making the change in bpf_helper_changes_pkt_data() automatically makes<br /> use of check_cfg() logic that computes &amp;#39;changes_pkt_data&amp;#39; effect for<br /> global sub-programs, such that the following program could be<br /> rejected:<br /> <br /> int tail_call(struct __sk_buff *sk)<br /> {<br /> bpf_tail_call_static(sk, &amp;jmp_table, 0);<br /> return 0;<br /> }<br /> <br /> SEC("tc")<br /> int not_safe(struct __sk_buff *sk)<br /> {<br /> int *p = (void *)(long)sk-&gt;data;<br /> ... make p valid ...<br /> tail_call(sk);<br /> *p = 42; /* this is unsafe */<br /> ...<br /> }<br /> <br /> The tc_bpf2bpf.c:subprog_tc() needs change: mark it as a function that<br /> can invalidate packet pointers. Otherwise, it can&amp;#39;t be freplaced with<br /> tailcall_freplace.c:entry_freplace() that does a tail call.