Fixed
Created: Jan 12, 2025
Updated: Oct 22, 2025
Resolved Date: Aug 3, 2025
Found In Version: 10.23.30.1
Severity: Standard
Applicable for: Wind River Linux LTS 23
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:
bpf: Prevent tailcall infinite loop caused by freplace
There is a potential infinite loop issue that can occur when using a
combination of tail calls and freplace.
In an upcoming selftest, the attach target for entry_freplace of
tailcall_freplace.c is subprog_tc of tc_bpf2bpf.c, while the tail call in
entry_freplace leads to entry_tc. This results in an infinite loop:
entry_tc {-}> subprog_tc -> entry_freplace --tailcall{-}> entry_tc.
The problem arises because the tail_call_cnt in entry_freplace resets to
zero each time entry_freplace is executed, causing the tail call mechanism
to never terminate, eventually leading to a kernel panic.
To fix this issue, the solution is twofold:
1. Prevent updating a program extended by an freplace program to a
prog_array map.
2. Prevent extending a program that is already part of a prog_array map
with an freplace program.
This ensures that:
* If a program or its subprogram has been extended by an freplace program,
it can no longer be updated to a prog_array map.
* If a program has been added to a prog_array map, neither it nor its
subprograms can be extended by an freplace program.
Moreover, an extension program should not be tailcalled. As such, return
-EINVAL if the program has a type of BPF_PROG_TYPE_EXT when adding it to a
prog_array map.
Additionally, fix a minor code style issue by replacing eight spaces with a
tab for proper formatting.
========Wind River Notice========
This fix of CVE has big changes. so backport the fix to current kernel might cause more issues.
There is a simple way to mitigate it, see:
[https://access.redhat.com/security/cve/cve-2024-47794]
Mitigating steps(Verified on qemu-x86-64):
1. Checking unprivileged_bpf_disabled:
cat /proc/sys/kernel/unprivileged_bpf_disabled
2. The setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw:
echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled
