CVE-2025-38502 (GCVE-0-2025-38502)
Vulnerability from cvelistv5
Published
2025-08-16 09:34
Modified
2025-08-16 09:34
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix oob access in cgroup local storage Lonial reported that an out-of-bounds access in cgroup local storage can be crafted via tail calls. Given two programs each utilizing a cgroup local storage with a different value size, and one program doing a tail call into the other. The verifier will validate each of the indivial programs just fine. However, in the runtime context the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the BPF program as well as any cgroup local storage flavor the program uses. Helpers such as bpf_get_local_storage() pick this up from the runtime context: ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx); storage = ctx->prog_item->cgroup_storage[stype]; if (stype == BPF_CGROUP_STORAGE_SHARED) ptr = &READ_ONCE(storage->buf)->data[0]; else ptr = this_cpu_ptr(storage->percpu_buf); For the second program which was called from the originally attached one, this means bpf_get_local_storage() will pick up the former program's map, not its own. With mismatching sizes, this can result in an unintended out-of-bounds access. To fix this issue, we need to extend bpf_map_owner with an array of storage_cookie[] to match on i) the exact maps from the original program if the second program was using bpf_get_local_storage(), or ii) allow the tail call combination if the second program was not using any of the cgroup local storage maps.
References
Impacted products
Vendor Product Version
Linux Linux Version: 7d9c3427894fe70d1347b4820476bf37736d2ff0
Version: 7d9c3427894fe70d1347b4820476bf37736d2ff0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/bpf.h",
            "kernel/bpf/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "19341d5c59e8c7e8528e40f8663e99d67810473c",
              "status": "affected",
              "version": "7d9c3427894fe70d1347b4820476bf37736d2ff0",
              "versionType": "git"
            },
            {
              "lessThan": "abad3d0bad72a52137e0c350c59542d75ae4f513",
              "status": "affected",
              "version": "7d9c3427894fe70d1347b4820476bf37736d2ff0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/bpf.h",
            "kernel/bpf/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17-rc1",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix oob access in cgroup local storage\n\nLonial reported that an out-of-bounds access in cgroup local storage\ncan be crafted via tail calls. Given two programs each utilizing a\ncgroup local storage with a different value size, and one program\ndoing a tail call into the other. The verifier will validate each of\nthe indivial programs just fine. However, in the runtime context\nthe bpf_cg_run_ctx holds an bpf_prog_array_item which contains the\nBPF program as well as any cgroup local storage flavor the program\nuses. Helpers such as bpf_get_local_storage() pick this up from the\nruntime context:\n\n  ctx = container_of(current-\u003ebpf_ctx, struct bpf_cg_run_ctx, run_ctx);\n  storage = ctx-\u003eprog_item-\u003ecgroup_storage[stype];\n\n  if (stype == BPF_CGROUP_STORAGE_SHARED)\n    ptr = \u0026READ_ONCE(storage-\u003ebuf)-\u003edata[0];\n  else\n    ptr = this_cpu_ptr(storage-\u003epercpu_buf);\n\nFor the second program which was called from the originally attached\none, this means bpf_get_local_storage() will pick up the former\nprogram\u0027s map, not its own. With mismatching sizes, this can result\nin an unintended out-of-bounds access.\n\nTo fix this issue, we need to extend bpf_map_owner with an array of\nstorage_cookie[] to match on i) the exact maps from the original\nprogram if the second program was using bpf_get_local_storage(), or\nii) allow the tail call combination if the second program was not\nusing any of the cgroup local storage maps."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-16T09:34:25.135Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/19341d5c59e8c7e8528e40f8663e99d67810473c"
        },
        {
          "url": "https://git.kernel.org/stable/c/abad3d0bad72a52137e0c350c59542d75ae4f513"
        }
      ],
      "title": "bpf: Fix oob access in cgroup local storage",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38502",
    "datePublished": "2025-08-16T09:34:25.135Z",
    "dateReserved": "2025-04-16T04:51:24.022Z",
    "dateUpdated": "2025-08-16T09:34:25.135Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38502\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-08-16T10:15:25.653\",\"lastModified\":\"2025-08-18T20:16:28.750\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fix oob access in cgroup local storage\\n\\nLonial reported that an out-of-bounds access in cgroup local storage\\ncan be crafted via tail calls. Given two programs each utilizing a\\ncgroup local storage with a different value size, and one program\\ndoing a tail call into the other. The verifier will validate each of\\nthe indivial programs just fine. However, in the runtime context\\nthe bpf_cg_run_ctx holds an bpf_prog_array_item which contains the\\nBPF program as well as any cgroup local storage flavor the program\\nuses. Helpers such as bpf_get_local_storage() pick this up from the\\nruntime context:\\n\\n  ctx = container_of(current-\u003ebpf_ctx, struct bpf_cg_run_ctx, run_ctx);\\n  storage = ctx-\u003eprog_item-\u003ecgroup_storage[stype];\\n\\n  if (stype == BPF_CGROUP_STORAGE_SHARED)\\n    ptr = \u0026READ_ONCE(storage-\u003ebuf)-\u003edata[0];\\n  else\\n    ptr = this_cpu_ptr(storage-\u003epercpu_buf);\\n\\nFor the second program which was called from the originally attached\\none, this means bpf_get_local_storage() will pick up the former\\nprogram\u0027s map, not its own. With mismatching sizes, this can result\\nin an unintended out-of-bounds access.\\n\\nTo fix this issue, we need to extend bpf_map_owner with an array of\\nstorage_cookie[] to match on i) the exact maps from the original\\nprogram if the second program was using bpf_get_local_storage(), or\\nii) allow the tail call combination if the second program was not\\nusing any of the cgroup local storage maps.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Correcci\u00f3n del acceso fuera de los l\u00edmites en el almacenamiento local de cgroup Lonial inform\u00f3 que se puede manipular un acceso fuera de los l\u00edmites en el almacenamiento local de cgroup mediante llamadas de cola. Dados dos programas, cada uno utilizando un almacenamiento local de cgroup con un tama\u00f1o de valor diferente, y un programa realizando una llamada de cola en el otro. El verificador validar\u00e1 cada uno de los programas individuales sin problemas. Sin embargo, en el contexto de tiempo de ejecuci\u00f3n, bpf_cg_run_ctx contiene un bpf_prog_array_item que contiene el programa BPF, as\u00ed como cualquier sabor de almacenamiento local de cgroup que use el programa. Los ayudantes como bpf_get_local_storage() recogen esto del contexto de tiempo de ejecuci\u00f3n: ctx = container_of(current-\u0026gt;bpf_ctx, struct bpf_cg_run_ctx, run_ctx); storage = ctx-\u0026gt;prog_item-\u0026gt;cgroup_storage[stype]; if (stype == BPF_CGROUP_STORAGE_SHARED) ptr = \u0026amp;READ_ONCE(storage-\u0026gt;buf)-\u0026gt;data[0]; else ptr = this_cpu_ptr(storage-\u0026gt;percpu_buf); Para el segundo programa llamado desde el programa adjunto original, esto significa que bpf_get_local_storage() tomar\u00e1 el mapa del programa anterior, no el suyo. Con tama\u00f1os no coincidentes, esto puede resultar en un acceso fuera de los l\u00edmites no deseado. Para solucionar este problema, necesitamos extender bpf_map_owner con una matriz de storage_cookie[] para que coincida con i) los mapas exactos del programa original si el segundo programa usaba bpf_get_local_storage(), o ii) permitir la combinaci\u00f3n de llamadas de cola si el segundo programa no usaba ninguno de los mapas de almacenamiento local de cgroup.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/19341d5c59e8c7e8528e40f8663e99d67810473c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/abad3d0bad72a52137e0c350c59542d75ae4f513\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.