Fix out-of-bounds write in trie_get_next_key()

CVE-2024-50262

7.8HIGH

Key Information

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 9 November 2024

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix out-of-bounds write in trie_get_next_key() trie_get_next_key() allocates a node stack with size trie->max_prefixlen, while it writes (trie->max_prefixlen + 1) nodes to the stack when it has full paths from the root to leaves. For example, consider a trie with max_prefixlen is 8, and the nodes with key 0x00/0, 0x00/1, 0x00/2, ... 0x00/8 inserted. Subsequent calls to trie_get_next_key with _key with .prefixlen = 8 make 9 nodes be written on the node stack with size 8.

Affected Version(s)

Linux < b471f2f1de8b

Linux < 91afbc0eb3c9

Linux < 590976f92172

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Nov 9, 2024
Vulnerability Reserved.
Oct 21, 2024

Collectors

NVD DatabaseMitre Database