CVE-2024-58237
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
05/05/2025
Last modified:
09/05/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
bpf: consider that tail calls invalidate packet pointers<br />
<br />
Tail-called programs could execute any of the helpers that invalidate<br />
packet pointers. Hence, conservatively assume that each tail call<br />
invalidates packet pointers.<br />
<br />
Making the change in bpf_helper_changes_pkt_data() automatically makes<br />
use of check_cfg() logic that computes &#39;changes_pkt_data&#39; effect for<br />
global sub-programs, such that the following program could be<br />
rejected:<br />
<br />
int tail_call(struct __sk_buff *sk)<br />
{<br />
bpf_tail_call_static(sk, &jmp_table, 0);<br />
return 0;<br />
}<br />
<br />
SEC("tc")<br />
int not_safe(struct __sk_buff *sk)<br />
{<br />
int *p = (void *)(long)sk->data;<br />
... make p valid ...<br />
tail_call(sk);<br />
*p = 42; /* this is unsafe */<br />
...<br />
}<br />
<br />
The tc_bpf2bpf.c:subprog_tc() needs change: mark it as a function that<br />
can invalidate packet pointers. Otherwise, it can&#39;t be freplaced with<br />
tailcall_freplace.c:entry_freplace() that does a tail call.