CVE-2024-47702 in Linuxinfo

Summary

by MITRE • 10/21/2024

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fail verification for sign-extension of packet data/data_end/data_meta

syzbot reported a kernel crash due to commit 1f1e864b6555 ("bpf: Handle sign-extenstin ctx member accesses"). The reason is due to sign-extension of 32-bit load for packet data/data_end/data_meta uapi field.

The original code looks like: r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */ r3 = *(u32 *)(r1 + 80) /* load __sk_buff->data_end */ r0 = r2 r0 += 8 if r3 > r0 goto +1 ... Note that __sk_buff->data load has 32-bit sign extension.

After verification and convert_ctx_accesses(), the final asm code looks like: r2 = *(u64 *)(r1 +208) r2 = (s32)r2 r3 = *(u64 *)(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1 ... Note that 'r2 = (s32)r2' may make the kernel __sk_buff->data address invalid which may cause runtime failure.

Currently, in C code, typically we have void *data = (void *)(long)skb->data; void *data_end = (void *)(long)skb->data_end; ... and it will generate r2 = *(u64 *)(r1 +208) r3 = *(u64 *)(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1

If we allow sign-extension, void *data = (void *)(long)(int)skb->data; void *data_end = (void *)(long)skb->data_end; ... the generated code looks like r2 = *(u64 *)(r1 +208) r2 <<= 32 r2 s>>= 32 r3 = *(u64 *)(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1 and this will cause verification failure since "r2 <<= 32" is not allowed as "r2" is a packet pointer.

To fix this issue for case r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */ this patch added additional checking in is_valid_access() callback function for packet data/data_end/data_meta access. If those accesses are with sign-extenstion, the verification will fail.

[1] https://lore.kernel.org/bpf/[email protected]/

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 01/19/2026

The vulnerability CVE-2024-47702 affects the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem and represents a critical issue in the BPF verifier's handling of sign-extension operations for packet data pointers. This flaw specifically targets the verification process when processing 32-bit sign-extension loads from packet data, data_end, and data_meta fields within the __sk_buff context structure. The vulnerability was discovered through automated fuzzing by syzbot, which identified a kernel crash occurring after a specific commit that introduced handling for sign-extension of context member accesses. The root cause lies in how the BPF verifier processes the conversion of context accesses during code generation, where sign-extension operations on packet data pointers can result in invalid memory addresses that cause runtime failures.

The technical implementation of this vulnerability involves the transformation of BPF bytecode during verification and compilation phases. Initially, the BPF program loads packet data using a 32-bit signed load operation from the __sk_buff structure, specifically accessing the data field at offset 76. During verification, the convert_ctx_accesses() function translates this into a 64-bit load followed by a 32-bit sign-extension operation. The problematic code sequence shows that r2 = (u64 )(r1 +208) followed by r2 = (s32)r2 creates a situation where the sign-extension operation can corrupt the packet pointer address. This occurs because the original 32-bit signed load operation from packet data should not undergo sign-extension in the context of packet pointer arithmetic, as it can result in invalid addresses that cause kernel crashes during runtime execution.

The operational impact of this vulnerability extends beyond simple kernel crashes to potentially enable privilege escalation or denial of service attacks within systems utilizing BPF programs. When BPF programs are executed with elevated privileges, particularly in networking contexts where packet processing occurs, an attacker could craft malicious BPF programs that exploit this verification flaw to corrupt memory addresses or bypass security checks. The vulnerability specifically affects the BPF verifier's is_valid_access() callback function, which is responsible for validating memory access patterns during program verification. The fix implemented in this patch adds additional checking specifically for packet data, data_end, and data_meta access patterns, ensuring that sign-extension operations on these fields will cause verification to fail rather than allowing potentially invalid code to proceed to execution.

This vulnerability aligns with CWE-129, which addresses improper validation of array indices and memory access patterns, and relates to ATT&CK technique T1059.006 for execution through BPF programs. The fix demonstrates proper defensive programming practices by adding explicit validation checks in the BPF verification layer, preventing the execution of potentially harmful code patterns. The patch specifically targets the problematic code path where r2 <<= 32 followed by r2 s>>= 32 operations would be generated for sign-extended packet data accesses, which the BPF verifier correctly identifies as invalid operations on packet pointers. This represents a critical security measure that prevents malicious BPF programs from exploiting pointer arithmetic anomalies that could otherwise lead to kernel memory corruption or privilege escalation. The vulnerability underscores the importance of rigorous verification in kernel-level code execution environments where security boundaries are crucial for system integrity.

Responsible

Linux

Reservation

09/30/2024

Disclosure

10/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00203

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!