{ "containers": { "cna": { "providerMetadata": { "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: use flags field to disambiguate broadcast redirect\n\nWhen redirecting a packet using XDP, the bpf_redirect_map() helper will set\nup the redirect destination information in struct bpf_redirect_info (using\nthe __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect()\nfunction will read this information after the XDP program returns and pass\nthe frame on to the right redirect destination.\n\nWhen using the BPF_F_BROADCAST flag to do multicast redirect to a whole\nmap, __bpf_xdp_redirect_map() sets the 'map' pointer in struct\nbpf_redirect_info to point to the destination map to be broadcast. And\nxdp_do_redirect() reacts to the value of this map pointer to decide whether\nit's dealing with a broadcast or a single-value redirect. However, if the\ndestination map is being destroyed before xdp_do_redirect() is called, the\nmap pointer will be cleared out (by bpf_clear_redirect_map()) without\nwaiting for any XDP programs to stop running. This causes xdp_do_redirect()\nto think that the redirect was to a single target, but the target pointer\nis also NULL (since broadcast redirects don't have a single target), so\nthis causes a crash when a NULL pointer is passed to dev_map_enqueue().\n\nTo fix this, change xdp_do_redirect() to react directly to the presence of\nthe BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info\nto disambiguate between a single-target and a broadcast redirect. And only\nread the 'map' pointer if the broadcast flag is set, aborting if that has\nbeen cleared out in the meantime. This prevents the crash, while keeping\nthe atomic (cmpxchg-based) clearing of the map pointer itself, and without\nadding any more checks in the non-broadcast fast path." } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "net/core/filter.c" ], "versions": [ { "version": "e624d4ed4aa8", "lessThan": "12481f30128f", "status": "affected", "versionType": "git" }, { "version": "e624d4ed4aa8", "lessThan": "272bfb019f3c", "status": "affected", "versionType": "git" }, { "version": "e624d4ed4aa8", "lessThan": "e22e25820fa0", "status": "affected", "versionType": "git" }, { "version": "e624d4ed4aa8", "lessThan": "6fd81f9d333e", "status": "affected", "versionType": "git" }, { "version": "e624d4ed4aa8", "lessThan": "5bcf0dcbf906", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "net/core/filter.c" ], "versions": [ { "version": "5.14", "status": "affected" }, { "version": "0", "lessThan": "5.14", "status": "unaffected", "versionType": "custom" }, { "version": "5.15.159", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.1.91", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.6.31", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.8.10", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "custom" }, { "version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/12481f30128fbebc2eeb55eb2d56390fdfa30c5e" }, { "url": "https://git.kernel.org/stable/c/272bfb019f3cc018f654b992115774e77b4f3ffc" }, { "url": "https://git.kernel.org/stable/c/e22e25820fa04ea5eaac4ef7ee200e9923f466a4" }, { "url": "https://git.kernel.org/stable/c/6fd81f9d333e7b3532036577b1beb74ba1323553" }, { "url": "https://git.kernel.org/stable/c/5bcf0dcbf9066348058b88a510c57f70f384c92c" } ], "title": "xdp: use flags field to disambiguate broadcast redirect", "x_generator": { "engine": "bippy-a5840b7849dd" } } }, "cveMetadata": { "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", "cveID": "CVE-2024-36937", "requesterUserId": "gregkh@kernel.org", "serial": "1", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }