{
  "threat_severity" : "Moderate",
  "public_date" : "2024-11-07T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: bpf: devmap: provide rxq after redirect",
    "id" : "2324317",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2324317"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbpf: devmap: provide rxq after redirect\nrxq contains a pointer to the device from where\nthe redirect happened. Currently, the BPF program\nthat was executed after a redirect via BPF_MAP_TYPE_DEVMAP*\ndoes not have it set.\nThis is particularly bad since accessing ingress_ifindex, e.g.\nSEC(\"xdp\")\nint prog(struct xdp_md *pkt)\n{\nreturn bpf_redirect_map(&dev_redirect_map, 0, 0);\n}\nSEC(\"xdp/devmap\")\nint prog_after_redirect(struct xdp_md *pkt)\n{\nbpf_printk(\"ifindex %i\", pkt->ingress_ifindex);\nreturn XDP_PASS;\n}\ndepends on access to rxq, so a NULL pointer gets dereferenced:\n<1>[  574.475170] BUG: kernel NULL pointer dereference, address: 0000000000000000\n<1>[  574.475188] #PF: supervisor read access in kernel mode\n<1>[  574.475194] #PF: error_code(0x0000) - not-present page\n<6>[  574.475199] PGD 0 P4D 0\n<4>[  574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n<4>[  574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 Not tainted 6.11.0-rc5-reduced-00859-g780801200300 #23\n<4>[  574.475226] Hardware name: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 03/14/2023\n<4>[  574.475231] Workqueue: mld mld_ifc_work\n<4>[  574.475247] RIP: 0010:bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c\n<4>[  574.475257] Code: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 <48> 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b\n<4>[  574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206\n<4>[  574.475269] RAX: ffffa62440280cd8 RBX: 0000000000000001 RCX: 0000000000000000\n<4>[  574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0\n<4>[  574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001\n<4>[  574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000\n<4>[  574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000\n<4>[  574.475289] FS:  0000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000\n<4>[  574.475294] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n<4>[  574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0\n<4>[  574.475303] PKRU: 55555554\n<4>[  574.475306] Call Trace:\n<4>[  574.475313]  <IRQ>\n<4>[  574.475318]  ? __die+0x23/0x70\n<4>[  574.475329]  ? page_fault_oops+0x180/0x4c0\n<4>[  574.475339]  ? skb_pp_cow_data+0x34c/0x490\n<4>[  574.475346]  ? kmem_cache_free+0x257/0x280\n<4>[  574.475357]  ? exc_page_fault+0x67/0x150\n<4>[  574.475368]  ? asm_exc_page_fault+0x26/0x30\n<4>[  574.475381]  ? bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c\n<4>[  574.475386]  bq_xmit_all+0x158/0x420\n<4>[  574.475397]  __dev_flush+0x30/0x90\n<4>[  574.475407]  veth_poll+0x216/0x250 [veth]\n<4>[  574.475421]  __napi_poll+0x28/0x1c0\n<4>[  574.475430]  net_rx_action+0x32d/0x3a0\n<4>[  574.475441]  handle_softirqs+0xcb/0x2c0\n<4>[  574.475451]  do_softirq+0x40/0x60\n<4>[  574.475458]  </IRQ>\n<4>[  574.475461]  <TASK>\n<4>[  574.475464]  __local_bh_enable_ip+0x66/0x70\n<4>[  574.475471]  __dev_queue_xmit+0x268/0xe40\n<4>[  574.475480]  ? selinux_ip_postroute+0x213/0x420\n<4>[  574.475491]  ? alloc_skb_with_frags+0x4a/0x1d0\n<4>[  574.475502]  ip6_finish_output2+0x2be/0x640\n<4>[  574.475512]  ? nf_hook_slow+0x42/0xf0\n<4>[  574.475521]  ip6_finish_output+0x194/0x300\n<4>[  574.475529]  ? __pfx_ip6_finish_output+0x10/0x10\n<4>[  574.475538]  mld_sendpack+0x17c/0x240\n<4>[  574.475548]  mld_ifc_work+0x192/0x410\n<4>[  574.475557]  process_one_work+0x15d/0x380\n<4>[  574.475566]  worker_thread+0x29d/0x3a0\n<4>[  574.475573]  ? __pfx_worker_thread+0x10/0x10\n<4>[  574.475580]  ? __pfx_worker_thread+0x10/0x10\n<4>[  574.475587]  kthread+0xcd/0x100\n<4>[  574.475597]  ? __pfx_kthread+0x10/0x10\n<4>[  574.475606]  ret_from_fork+0x31/0x50\n<4>[  574.475615]  ? __pfx_kthread+0x10/0x10\n<4>[  574.475623]  ret_from_fork_asm+0x1a/0x\n---truncated---" ],
  "statement" : "The BPF disabled by default in Red Hat Enterprise Linux (so only privileged user can enable it and trigger the bug). Even if BPF enabled, the NULL pointer dereference should not lead to the possibility of privileges escalation (so security impact is limited).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-50162\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50162\nhttps://lore.kernel.org/linux-cve-announce/2024110747-CVE-2024-50162-474e@gregkh/T" ],
  "name" : "CVE-2024-50162",
  "csaw" : false
}