CVE-2024-45020

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-45020
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-45020.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-45020
Downstream
Related
Published
2024-09-11T15:13:54.591Z
Modified
2025-11-20T05:45:28.580384Z
Summary
bpf: Fix a kernel verifier crash in stacksafe()
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix a kernel verifier crash in stacksafe()

Daniel Hodges reported a kernel verifier crash when playing with sched-ext. Further investigation shows that the crash is due to invalid memory access in stacksafe(). More specifically, it is the following code:

if (exact != NOT_EXACT &&
    old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
    cur->stack[spi].slot_type[i % BPF_REG_SIZE])
        return false;

The 'i' iterates old->allocatedstack. If cur->allocatedstack < old->allocated_stack the out-of-bound access will happen.

To fix the issue add 'i >= cur->allocatedstack' check such that if the condition is true, stacksafe() should fail. Otherwise, cur->stack[spi].slottype[i % BPFREGSIZE] memory access is legal.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ab470fefce2837e66b771c60858118d50bb5bb10
Fixed
7cad3174cc79519bf5f6c4441780264416822c08
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2793a8b015f7f1caadb9bce9c63dc659f7522676
Fixed
6e3987ac310c74bb4dd6a2fa8e46702fe505fb2b
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2793a8b015f7f1caadb9bce9c63dc659f7522676
Fixed
bed2eb964c70b780fb55925892a74f26cb590b25

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.10.1
v6.10.2
v6.10.3
v6.10.4
v6.10.5
v6.10.6
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.6
v6.6-rc6
v6.6-rc7
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "322198325282551150497597915949366478266",
                "35115837087594568153765789816046257035",
                "254103083496380533287246688785723376362",
                "334916770808929024351956086150989644671",
                "233574285408353597226430589877391362589"
            ]
        },
        "id": "CVE-2024-45020-722d608d",
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bed2eb964c70b780fb55925892a74f26cb590b25",
        "target": {
            "file": "kernel/bpf/verifier.c"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "77733944842172065930539484698791680204",
            "length": 2400.0
        },
        "id": "CVE-2024-45020-74fc0fe5",
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6e3987ac310c74bb4dd6a2fa8e46702fe505fb2b",
        "target": {
            "file": "kernel/bpf/verifier.c",
            "function": "stacksafe"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "322198325282551150497597915949366478266",
                "35115837087594568153765789816046257035",
                "254103083496380533287246688785723376362",
                "334916770808929024351956086150989644671",
                "233574285408353597226430589877391362589"
            ]
        },
        "id": "CVE-2024-45020-e18ed6f6",
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6e3987ac310c74bb4dd6a2fa8e46702fe505fb2b",
        "target": {
            "file": "kernel/bpf/verifier.c"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "77733944842172065930539484698791680204",
            "length": 2400.0
        },
        "id": "CVE-2024-45020-f4d65afd",
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bed2eb964c70b780fb55925892a74f26cb590b25",
        "target": {
            "file": "kernel/bpf/verifier.c",
            "function": "stacksafe"
        }
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.6.48
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.10.7