CVE-2024-53125— bpf: sync_linked_regs() must preserve subreg_def
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-53125
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
bpf: sync_linked_regs() must preserve subreg_def
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: bpf: sync_linked_regs() must preserve subreg_def Range propagation must not affect subreg_def marks, otherwise the following example is rewritten by verifier incorrectly when BPF_F_TEST_RND_HI32 flag is set: 0: call bpf_ktime_get_ns call bpf_ktime_get_ns 1: r0 &= 0x7fffffff after verifier r0 &= 0x7fffffff 2: w1 = w0 rewrites w1 = w0 3: if w0 < 10 goto +0 --------------> r11 = 0x2f5674a6 (r) 4: r1 >>= 32 r11 <<= 32 (r) 5: r0 = r1 r1 |= r11 (r) 6: exit; if w0 < 0xa goto pc+0 r1 >>= 32 r0 = r1 exit (or zero extension of w1 at (2) is missing for architectures that require zero extension for upper register half). The following happens w/o this patch: - r0 is marked as not a subreg at (0); - w1 is marked as subreg at (2); - w1 subreg_def is overridden at (3) by copy_register_state(); - w1 is read at (5) but mark_insn_zext() does not mark (2) for zero extension, because w1 subreg_def is not set; - because of BPF_F_TEST_RND_HI32 flag verifier inserts random value for hi32 bits of (2) (marked (r)); - this random value is read at (5).
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于bpf子系统中sync_linked_regs函数未能保留subreg_def标记,可能导致BPF_F_TEST_RND_HI32标志下的错误重写。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-53125
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-53125
请登录查看更多情报信息。
Same Patch Batch · Linux · 2024-12-04 · 16 CVEs total
| CVE-2024-53126 | vdpa: solidrun: Fix UB bug with devres | |
| CVE-2024-53127 | Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K" | |
| CVE-2024-53128 | sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers | |
| CVE-2024-53129 | drm/rockchip: vop: Fix a dereferenced before check warning | |
| CVE-2024-53130 | nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint | |
| CVE-2024-53131 | nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint | |
| CVE-2024-53132 | drm/xe/oa: Fix "Missing outer runtime PM protection" warning | |
| CVE-2024-53133 | drm/amd/display: Handle dml allocation failure to avoid crash | |
| CVE-2024-53134 | pmdomain: imx93-blk-ctrl: correct remove path | |
| CVE-2024-53135 | KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN | |
| CVE-2024-53136 | mm: revert "mm: shmem: fix data-race in shmem_getattr()" | |
| CVE-2024-53138 | net/mlx5e: kTLS, Fix incorrect page refcounting | |
| CVE-2024-53137 | ARM: fix cacheflush with PAN | |
| CVE-2024-53139 | sctp: fix possible UAF in sctp_v6_available() | |
| CVE-2024-53140 | netlink: terminate outstanding dump on socket close |
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2024-53125
No comments yet