CVE ID : CVE-2024-50254

Published : Nov. 9, 2024, 11:15 a.m. | 1 hour, 1 minute ago

Description : In the Linux kernel, the following vulnerability has been resolved:

bpf: Free dynamically allocated bits in bpf_iter_bits_destroy()

bpf_iter_bits_destroy() uses “kit->nr_bits ] kmemleak_alloc+0x4b/0x80
[] __kmalloc_node_noprof+0x480/0x5c0
[] __alloc.isra.0+0x89/0xb0
[] alloc_bulk+0x2af/0x720
[] prefill_mem_cache+0x7f/0xb0
[] bpf_mem_alloc_init+0x3e2/0x610
[] bpf_global_ma_init+0x19/0x30
[] do_one_initcall+0xd3/0x3c0
[] kernel_init_freeable+0x66a/0x940
[] kernel_init+0x20/0x160
[] ret_from_fork+0x3c/0x70
[] ret_from_fork_asm+0x1a/0x30

That is because nr_bits will be set as zero in bpf_iter_bits_next()
after all bits have been iterated.

Fix the issue by setting kit->bit to kit->nr_bits instead of setting
kit->nr_bits to zero when the iteration completes in
bpf_iter_bits_next(). In addition, use “!nr_bits || bits >= nr_bits” to
check whether the iteration is complete and still use “nr_bits > 64” to
indicate whether bits are dynamically allocated. The “!nr_bits” check is
necessary because bpf_iter_bits_new() may fail before setting
kit->nr_bits, and this condition will stop the iteration early instead
of accessing the zeroed or freed kit->bits.

Considering the initial value of kit->bits is -1 and the type of
kit->nr_bits is unsigned int, change the type of kit->nr_bits to int.
The potential overflow problem will be handled in the following patch.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…