CVE-2024-47794 - Preventing Infinite Loops in Linux Kernel BPF Tail Calls and Freplace

In the Linux kernel, a specific vulnerability has been discovered and resolved, which is officially labeled as CVE-2024-47794. This vulnerability is related to the Berkeley Packet Filter (BPF) subsystem, involving a potential infinite loop caused by the combination of tail calls and freplace.

Exploit Details

Before digging into the fix, let's understand how this vulnerability can be exploited.

When using tail calls and freplace in the Linux kernel's BPF subsystem, there is a potential for an infinite loop. In an upcoming selftest, the attach target for entry_freplace of tailcall_freplace.c is subprog_tc of tc_bpf2bpf.c. The tail call in entry_freplace then leads to entry_tc. This sequence results in an infinite loop:

entry_tc -> subprog_tc -> entry_freplace --tailcall-> entry_tc.

The main issue here is that the tail_call_cnt in entry_freplace resets to zero each time entry_freplace is executed. This causes the tail call mechanism to never terminate, eventually leading to a kernel panic.

The implementation of these solutions ensures that

* If a program or its subprogram has been extended by an freplace program, it can no longer be updated to a prog_array map.
* If a program has been added to a prog_array map, neither it nor its subprograms can be extended by an freplace program.

Furthermore, an extension program should not be tailcalled. To implement this behavior, return -EINVAL if the program has a type of BPF_PROG_TYPE_EXT when adding it to a prog_array map.

Here's a snippet of the code changes that address this issue

if (attach_type == BPF_SK_LOOKUP || attach_type == BPF_SK_SKB_STREAM_PARSER || attach_type == BPF_SK_SKB_STREAM_VERDICT) {
	...
} else if (attach_type == BPF_PROG_TYPE_EXT) {
	/* Add check for BPF_PROG_TYPE_EXT */
	tp = &map->inner_array->ptrs[type];
	if (op == BPF_MAP_LOOKUP_ELEM)
	return -EINVAL;
}

Original References

1. Patch from Linux Kernel Mailing List: bpf: Prevent tail call infinite loop caused by freplace
2. Patch in the Linux kernel Git repository: bpf, prevent_tailcall_infinite_loop_freplace

Conclusion

In conclusion, CVE-2024-47794 is a vulnerability in the Linux kernel's BPF subsystem that could cause an infinite loop when using tail calls and freplace. This vulnerability has now been resolved with a twofold solution that checks for specific conditions when adding a program to a prog_array map or extending it with an freplace program. This fix should prevent kernel panics caused by the exploit in the future.

Timeline

Published on: 01/11/2025 13:15:22 UTC
Last modified on: 01/20/2025 06:19:06 UTC