Acknowledged
Created: May 5, 2025
Updated: Mar 5, 2026
Resolved Date: Mar 5, 2026
Found In Version: 10.23.30.1
Severity: Standard
Applicable for: Wind River Linux LTS 21
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:
bpf: consider that tail calls invalidate packet pointers
Tail-called programs could execute any of the helpers that invalidate
packet pointers. Hence, conservatively assume that each tail call
invalidates packet pointers.
Making the change in bpf_helper_changes_pkt_data() automatically makes
use of check_cfg() logic that computes 'changes_pkt_data' effect for
global sub-programs, such that the following program could be
rejected:
int tail_call(struct __sk_buff *sk)
{ bpf_tail_call_static(sk, &jmp_table, 0); return 0; }
SEC("tc")
int not_safe(struct __sk_buff *sk)
{ int *p = (void *)(long)sk->data; ... make p valid ... tail_call(sk); *p = 42; /* this is unsafe */ ... }
The tc_bpf2bpf.c:subprog_tc() needs change: mark it as a function that
can invalidate packet pointers. Otherwise, it can't be freplaced with
tailcall_freplace.c:entry_freplace() that does a tail call.
========Wind River Notice========
To backport the fix might break current common BPF code due to context changes.
Mitigation:
The default WindRiver Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space.
For the WindRiver Linux to confirm the current state, inspect the sysctl with the command:
cat /proc/sys/kernel/unprivileged_bpf_disabled
The setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.
