CVE-2024-50162

In the Linux kernel, the following vulnerability has been resolved:

bpf: devmap: provide rxq after redirect

rxq contains a pointer to the device from where the redirect happened. Currently, the BPF program that was executed after a redirect via BPFMAPTYPE_DEVMAP* does not have it set.

This is particularly bad since accessing ingress_ifindex, e.g.

SEC("xdp") int prog(struct xdpmd *pkt) { return bpfredirectmap(&devredirect_map, 0, 0); }

SEC("xdp/devmap") int progafterredirect(struct xdpmd *pkt) { bpfprintk("ifindex %i", pkt->ingressifindex); return XDPPASS; }

depends on access to rxq, so a NULL pointer gets dereferenced:

<1>[ 574.475170] BUG: kernel NULL pointer dereference, address: 0000000000000000 <1>[ 574.475188] #PF: supervisor read access in kernel mode <1>[ 574.475194] #PF: errorcode(0x0000) - not-present page <6>[ 574.475199] PGD 0 P4D 0 <4>[ 574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI <4>[ 574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 Not tainted 6.11.0-rc5-reduced-00859-g780801200300 #23 <4>[ 574.475226] Hardware name: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 03/14/2023 <4>[ 574.475231] Workqueue: mld mldifcwork <4>[ 574.475247] RIP: 0010:bpfprog5e13354d9cf5018aprogafterredirect+0x17/0x3c <4>[ 574.475257] Code: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 <48> 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b <4>[ 574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206 <4>[ 574.475269] RAX: ffffa62440280cd8 RBX: 0000000000000001 RCX: 0000000000000000 <4>[ 574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0 <4>[ 574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001 <4>[ 574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000 <4>[ 574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000 <4>[ 574.475289] FS: 0000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000 <4>[ 574.475294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 <4>[ 574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0 <4>[ 574.475303] PKRU: 55555554 <4>[ 574.475306] Call Trace: <4>[ 574.475313] <IRQ> <4>[ 574.475318] ? _die+0x23/0x70 <4>[ 574.475329] ? pagefaultoops+0x180/0x4c0 <4>[ 574.475339] ? skbppcowdata+0x34c/0x490 <4>[ 574.475346] ? kmemcachefree+0x257/0x280 <4>[ 574.475357] ? excpagefault+0x67/0x150 <4>[ 574.475368] ? asmexcpagefault+0x26/0x30 <4>[ 574.475381] ? bpfprog5e13354d9cf5018aprogafterredirect+0x17/0x3c <4>[ 574.475386] bqxmitall+0x158/0x420 <4>[ 574.475397] _devflush+0x30/0x90 <4>[ 574.475407] vethpoll+0x216/0x250 [veth] <4>[ 574.475421] _napipoll+0x28/0x1c0 <4>[ 574.475430] netrxaction+0x32d/0x3a0 <4>[ 574.475441] handlesoftirqs+0xcb/0x2c0 <4>[ 574.475451] dosoftirq+0x40/0x60 <4>[ 574.475458] </IRQ> <4>[ 574.475461] <TASK> <4>[ 574.475464] _localbhenableip+0x66/0x70 <4>[ 574.475471] _devqueuexmit+0x268/0xe40 <4>[ 574.475480] ? selinuxippostroute+0x213/0x420 <4>[ 574.475491] ? allocskbwithfrags+0x4a/0x1d0 <4>[ 574.475502] ip6finishoutput2+0x2be/0x640 <4>[ 574.475512] ? nfhookslow+0x42/0xf0 <4>[ 574.475521] ip6finishoutput+0x194/0x300 <4>[ 574.475529] ? _pfxip6finishoutput+0x10/0x10 <4>[ 574.475538] mldsendpack+0x17c/0x240 <4>[ 574.475548] mldifcwork+0x192/0x410 <4>[ 574.475557] processonework+0x15d/0x380 <4>[ 574.475566] workerthread+0x29d/0x3a0 <4>[ 574.475573] ? _pfxworkerthread+0x10/0x10 <4>[ 574.475580] ? _pfxworkerthread+0x10/0x10 <4>[ 574.475587] kthread+0xcd/0x100 <4>[ 574.475597] ? _pfxkthread+0x10/0x10 <4>[ 574.475606] retfromfork+0x31/0x50 <4>[ 574.475615] ? _pfxkthread+0x10/0x10 <4>[ 574.475623] retfromforkasm+0x1a/0x ---truncated---