CVE-2023-54181

Name of the Vulnerable Software and Affected Versions linux versions prior to 6.1.y

Description The Linux kernel contains an issue in the bpf verifier related to pointer comparisons. Specifically, the verifier incorrectly flagged comparisons of packet pointers as potential pointer leaks. This occurred after capabilities were changed from cap sys admin to cap net admin+cap bpf, causing networking-bpf programs to fail to start. The issue was identified in a networking-bpf program and a reproducer was provided demonstrating the problem with pointer comparisons within the ingress function. The code checks if (long)(iph + 1) > (long)skb->data end, where iph is a pointer to the IP header within a socket buffer (skb).

Recommendations Update to a newer kernel version than 6.1.y to address this issue.