Lonial

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: An out-of-bounds access issue exists in cgroup local storage within the Linux kernel. This can be triggered via tail calls between two BPF programs utilizing cgroup local storage with differing value sizes. The verifier may not detect the issue during program validation, but a runtime context error can occur where `bpf get local storage()` retrieves the incorrect map, leading to unintended memory access. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58 Description: A vulnerability has been found in the Linux kernel where specific helpers with ARG PTR TO {LONG,INT} as arguments can write into read-only BPF maps from the BPF program side. This occurs because the meta->raw mode is never set in check func arg() when the argument is as mentioned, and check helper mem access() assumes BPF READ for the subsequent call to check map access type(), allowing the write operation to succeed. The issue arises from the helpers not being annotated as ARG PTR TO {LONG,INT} | MEM UNINIT when results are written into them. To fix this, the ARG PTR TO {LONG,INT} special cases are removed, and MEM ALIGNED is added to ensure alignment. Recommendations: For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider restricting access to read-only BPF maps to minimize the risk of exploitation. Avoid using helpers with ARG PTR TO {LONG,INT} as arguments in BPF programs until the issue is resolved.