Acknowledged
Created: Dec 16, 2025
Updated: Dec 18, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]bpf: account for current allocated stack depth in widen_imprecise_scalars()[EOL][EOL]The usage pattern for widen_imprecise_scalars() looks as follows:[EOL][EOL] prev_st = find_prev_entry(env, ...);[EOL] queued_st = push_stack(...);[EOL] widen_imprecise_scalars(env, prev_st, queued_st);[EOL][EOL]Where prev_st is an ancestor of the queued_st in the explored states[EOL]tree. This ancestor is not guaranteed to have same allocated stack[EOL]depth as queued_st. E.g. in the following case:[EOL][EOL] def main():[EOL] for i in 1..2:[EOL] foo(i) // same callsite, differnt param[EOL][EOL] def foo(i):[EOL] if i == 1:[EOL] use 128 bytes of stack[EOL] iterator based loop[EOL][EOL]Here, for a second 'foo' call prev_st->allocated_stack is 128,[EOL]while queued_st->allocated_stack is much smaller.[EOL]widen_imprecise_scalars() needs to take this into account and avoid[EOL]accessing bpf_verifier_state->frame[*]->stack out of bounds.
