Jiri Olsa

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a null pointer dereference in the `bpf tracing prog attach` function. This can occur when a specific sequence of events happens, including loading a rawtp program, loading a fentry program with rawtp as the target fd, creating a tracing link for the fentry program with target fd = 0, and repeating this process. The result is a kernel crash due to the null pointer dereference. The technical details involve the `prog->aux->dst trampoline` being NULL, `tgt prog` being NULL because no target fd was provided to `link create`, and `prog->aux->attach btf` being NULL because the program was loaded with `attach prog fd=X`. The exact impact and the number of potentially affected devices are not specified. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the powerpc/bpf component of the Linux kernel, where a check added to the powerpc64 JIT did not look at the correct BPF instruction. This resulted in programs being accepted and incorrectly JIT'd, leading to soft lockups, as seen with the atomic bounds test. The problem arose after a commit converted BPF XADD to BPF ATOMIC and added a way to distinguish instructions based on the immediate field. Existing JIT implementations were updated to check for the immediate field and reject programs utilizing anything more than BPF ADD in the immediate field. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to buggy SELinux lockdown permission checks in the Linux kernel. The problem arises from the implementation of the locked down LSM hook to SELinux, which aims to restrict domains allowed to perform operations that breach lockdown. This implementation indirectly involves the audit subsystem, reporting events that can cause issues. Specifically, the audit events triggered by calls to security locked down() can lead to an Out-of-Memory (OOM) kill of a machine. Additionally, there's a potential deadlock via avc has perm()/slow avc audit() when waking up kauditd, especially when using the trace sched switch() tracepoint. The intention to restrict lockdown settings for specific applications is broken for BPF (Berkeley Packet Filter), as the SELinux policy rule for the current lockdown check does not match the 'current' task executing security locked down(). The policy should be against the entity installing the BPF program, not against random applications like httpd doing a syscall. The fix involves moving the security locked down() check into the program verification phase, reliably getting the task trying to install the BPF tracing program and fixing the OOM issue by moving the check out of the BPF helper's fast-path. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.28.5 **Description** The issue is related to the shm get stat function in the shm subsystem of the Linux kernel. When CONFIG SHMEM is disabled, this function misinterprets the data type of an inode. This can be exploited by local users to cause a denial of service, resulting in a system hang, by making an SHM INFO shmctl call. An example of how this can be done is by running the ipcs program. **Recommendations** For Linux kernel versions prior to 2.6.28.5, update to version 2.6.28.5 or later to resolve the issue.