Kumar Kartikeya Dwivedi

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.10.0-rc3-00131-g66b586715063 #533 **Description** The issue is related to a missing check in the BPF verifier, which can lead to out-of-bounds memory accesses. This occurs when a modified `CONST PTR TO DYNPTR` is passed to a global function as an argument, allowing BPF helpers to continue using the modified pointer and potentially compromising system stability. Technical details about exploitation include: - Vulnerable function: `bpf dynptr data` - Vulnerable parameters or variables: `CONST PTR TO DYNPTR` - Function names: `check func arg reg off()`, `process dynptr func()` - API Endpoints: None explicitly mentioned **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for the missing `check func arg reg off()` in the BPF verifier. Specifically, versions after 6.10.0-rc3-00131-g66b586715063 #533 should include this fix. As a temporary workaround, consider disabling the use of `CONST PTR TO DYNPTR` in global function arguments until a patch is available. However, this might not be feasible or could have significant performance implications, and thus, updating to a fixed kernel version is the recommended solution. At the moment, there is no information about other mitigation measures or workarounds that do not involve updating the kernel.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a crash due to out of bounds access into `reg2btf ids` in the Linux kernel's bpf component. This occurred after a commit added kfunc support and defined `reg2btf ids` as a way to translate the verifier reg type to the appropriate btf vmlinux BTF ID. However, another commit moved ` BPF REG TYPE MAX` from the last member of `bpf reg type` enum to after the base register types, defining other variants using type flag composition. As a result, the direct usage of `reg->type` to index into `reg2btf ids` may no longer fall into the ` BPF REG TYPE MAX` range, leading to out of bounds access and a kernel crash on dereference of a bad pointer. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free issue exists in the Linux kernel due to a race condition between the btf try get module and load module functions. This occurs when the module BTF is published to userspace before the module initcall is invoked, allowing btf try get module to succeed even if the module has not been fully initialized. If the module loading fails and the module is freed, a subsequent call to module put for the freed module can result in a use-after-free issue. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** To resolve this issue, apply the patch that sets a flag BTF MODULE F LIVE from the notifier callback when the MODULE STATE LIVE state is reached for the module, preventing btf try get module from returning a module that is not fully formed. As a temporary workaround, consider restricting access to the vulnerable module until the patch is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.