{"uuid": "18b14370-ff2a-4ebc-8bba-977ca56827f7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-43837", "type": "seen", "source": "https://t.me/cvedetector/3424", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-43837 - Linux BPF Null Pointer Dereference Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-43837 \nPublished : Aug. 17, 2024, 10:15 a.m. | 41\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \nbpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT  \n  \nWhen loading a EXT program without specifying `attr->attach_prog_fd`,  \nthe `prog->aux->dst_prog` will be null. At this time, calling  \nresolve_prog_type() anywhere will result in a null pointer dereference.  \n  \nExample stack trace:  \n  \n[    8.107863] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004  \n[    8.108262] Mem abort info:  \n[    8.108384]   ESR = 0x0000000096000004  \n[    8.108547]   EC = 0x25: DABT (current EL), IL = 32 bits  \n[    8.108722]   SET = 0, FnV = 0  \n[    8.108827]   EA = 0, S1PTW = 0  \n[    8.108939]   FSC = 0x04: level 0 translation fault  \n[    8.109102] Data abort info:  \n[    8.109203]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000  \n[    8.109399]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0  \n[    8.109614]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0  \n[    8.109836] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101354000  \n[    8.110011] [0000000000000004] pgd=0000000000000000, p4d=0000000000000000  \n[    8.112624] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP  \n[    8.112783] Modules linked in:  \n[    8.113120] CPU: 0 PID: 99 Comm: may_access_dire Not tainted 6.10.0-rc3-next-20240613-dirty #1  \n[    8.113230] Hardware name: linux,dummy-virt (DT)  \n[    8.113390] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)  \n[    8.113429] pc : may_access_direct_pkt_data+0x24/0xa0  \n[    8.113746] lr : add_subprog_and_kfunc+0x634/0x8e8  \n[    8.113798] sp : ffff80008283b9f0  \n[    8.113813] x29: ffff80008283b9f0 x28: ffff800082795048 x27: 0000000000000001  \n[    8.113881] x26: ffff0000c0bb2600 x25: 0000000000000000 x24: 0000000000000000  \n[    8.113897] x23: ffff0000c1134000 x22: 000000000001864f x21: ffff0000c1138000  \n[    8.113912] x20: 0000000000000001 x19: ffff0000c12b8000 x18: ffffffffffffffff  \n[    8.113929] x17: 0000000000000000 x16: 0000000000000000 x15: 0720072007200720  \n[    8.113944] x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720  \n[    8.113958] x11: 0720072007200720 x10: 0000000000f9fca4 x9 : ffff80008021f4e4  \n[    8.113991] x8 : 0101010101010101 x7 : 746f72705f6d656d x6 : 000000001e0e0f5f  \n[    8.114006] x5 : 000000000001864f x4 : ffff0000c12b8000 x3 : 000000000000001c  \n[    8.114020] x2 : 0000000000000002 x1 : 0000000000000000 x0 : 0000000000000000  \n[    8.114126] Call trace:  \n[    8.114159]  may_access_direct_pkt_data+0x24/0xa0  \n[    8.114202]  bpf_check+0x3bc/0x28c0  \n[    8.114214]  bpf_prog_load+0x658/0xa58  \n[    8.114227]  __sys_bpf+0xc50/0x2250  \n[    8.114240]  __arm64_sys_bpf+0x28/0x40  \n[    8.114254]  invoke_syscall.constprop.0+0x54/0xf0  \n[    8.114273]  do_el0_svc+0x4c/0xd8  \n[    8.114289]  el0_svc+0x3c/0x140  \n[    8.114305]  el0t_64_sync_handler+0x134/0x150  \n[    8.114331]  el0t_64_sync+0x168/0x170  \n[    8.114477] Code: 7100707f 54000081 f9401c00 f9403800 (b9400403)  \n[    8.118672] ---[ end trace 0000000000000000 ]---  \n  \nOne way to fix it is by forcing `attach_prog_fd` non-empty when  \nbpf_prog_load(). But this will lead to `libbpf_probe_bpf_prog_type`  \nAPI broken which use verifier log to probe prog type and will log  \nnothing if we reject invalid EXT prog before bpf_check().  \n  \nAnother way is by adding null check in resolve_prog_type().  \n  \nThe issue was introduced by commit 4a9c7bbe2ed4 (\"bpf: Resolve to  \nprog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT\") which wanted  \nto correct type resolution for BPF_PROG_TYPE_TRACING programs. Before  \nthat, the type resolution of BPF_PROG_TYPE_EXT prog actually follows  \nthe logic below:  \n  \n  prog->aux->dst_prog ? prog->aux->dst_prog->type : prog->type;  \n  \nIt implies that when EXT program is not yet attached t[...]", "creation_timestamp": "2024-08-17T13:09:19.000000Z"}