CVE-2024-50254— bpf: Free dynamically allocated bits in bpf_iter_bits_destroy()
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-50254
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
bpf: Free dynamically allocated bits in bpf_iter_bits_destroy()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Free dynamically allocated bits in bpf_iter_bits_destroy() bpf_iter_bits_destroy() uses "kit->nr_bits <= 64" to check whether the bits are dynamically allocated. However, the check is incorrect and may cause a kmemleak as shown below: unreferenced object 0xffff88812628c8c0 (size 32): comm "swapper/0", pid 1, jiffies 4294727320 hex dump (first 32 bytes): b0 c1 55 f5 81 88 ff ff f0 f0 f0 f0 f0 f0 f0 f0 ..U........... f0 f0 f0 f0 f0 f0 f0 f0 00 00 00 00 00 00 00 00 .............. backtrace (crc 781e32cc): [<00000000c452b4ab>] kmemleak_alloc+0x4b/0x80 [<0000000004e09f80>] __kmalloc_node_noprof+0x480/0x5c0 [<00000000597124d6>] __alloc.isra.0+0x89/0xb0 [<000000004ebfffcd>] alloc_bulk+0x2af/0x720 [<00000000d9c10145>] prefill_mem_cache+0x7f/0xb0 [<00000000ff9738ff>] bpf_mem_alloc_init+0x3e2/0x610 [<000000008b616eac>] bpf_global_ma_init+0x19/0x30 [<00000000fc473efc>] do_one_initcall+0xd3/0x3c0 [<00000000ec81498c>] kernel_init_freeable+0x66a/0x940 [<00000000b119f72f>] kernel_init+0x20/0x160 [<00000000f11ac9a7>] ret_from_fork+0x3c/0x70 [<0000000004671da4>] ret_from_fork_asm+0x1a/0x30 That is because nr_bits will be set as zero in bpf_iter_bits_next() after all bits have been iterated. Fix the issue by setting kit->bit to kit->nr_bits instead of setting kit->nr_bits to zero when the iteration completes in bpf_iter_bits_next(). In addition, use "!nr_bits || bits >= nr_bits" to check whether the iteration is complete and still use "nr_bits > 64" to indicate whether bits are dynamically allocated. The "!nr_bits" check is necessary because bpf_iter_bits_new() may fail before setting kit->nr_bits, and this condition will stop the iteration early instead of accessing the zeroed or freed kit->bits. Considering the initial value of kit->bits is -1 and the type of kit->nr_bits is unsigned int, change the type of kit->nr_bits to int. The potential overflow problem will be handled in the following patch.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于bpf_iter_bits_destroy函数中的动态分配位释放存在问题。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-50254
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-50254
请登录查看更多情报信息。
Same Patch Batch · Linux · 2024-11-09 · 49 CVEs total
| CVE-2024-50248 | ntfs3: Add bounds checking to mi_enum_attr() | |
| CVE-2024-50251 | netfilter: nft_payload: sanitize offset and length before calling skb_checksum() | |
| CVE-2024-50253 | bpf: Check the validity of nr_words in bpf_iter_bits_new() | |
| CVE-2024-50258 | net: fix crash when config small gso_max_size/gso_ipv4_max_size | |
| CVE-2024-50259 | netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write | |
| CVE-2024-50260 | sock_map: fix a NULL pointer dereference in sock_map_link_update_prog() | |
| CVE-2024-50261 | macsec: Fix use-after-free while sending the offloading packet | |
| CVE-2024-50262 | bpf: Fix out-of-bounds write in trie_get_next_key() | |
| CVE-2024-50257 | netfilter: Fix use-after-free in get_info() | |
| CVE-2024-50249 | ACPI: CPPC: Make rmw_lock a raw_spin_lock | |
| CVE-2024-50250 | fsdax: dax_unshare_iter needs to copy entire blocks | |
| CVE-2024-50247 | fs/ntfs3: Check if more than chunk-size bytes are written | |
| CVE-2024-50246 | fs/ntfs3: Add rough attr alloc_size check | |
| CVE-2024-50244 | fs/ntfs3: Additional check in ni_clear() | |
| CVE-2024-50245 | fs/ntfs3: Fix possible deadlock in mi_read | |
| CVE-2024-50243 | fs/ntfs3: Fix general protection fault in run_is_mapped_full | |
| CVE-2024-50242 | fs/ntfs3: Additional check in ntfs_file_release | |
| CVE-2024-50241 | NFSD: Initialize struct nfsd4_copy earlier | |
| CVE-2024-50240 | phy: qcom: qmp-usb: fix NULL-deref on runtime suspend | |
| CVE-2024-50239 | phy: qcom: qmp-usb-legacy: fix NULL-deref on runtime suspend |
Showing top 20 of 49 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2024-50254
No comments yet