In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix verifier assumptions about socket->sk
The verifier assumes that ‘sk’ field in ‘struct socket’ is valid
and non-NULL when ‘socket’ pointer itself is trusted and non-NULL.
That may not be the case when socket was just created and
passed to LSM socket_accept hook.
Fix this verifier assumption and adjust tests.
[
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"kernel/bpf/verifier.c",
"tools/testing/selftests/bpf/progs/bench_local_storage_create.c",
"tools/testing/selftests/bpf/progs/local_storage.c",
"tools/testing/selftests/bpf/progs/lsm_cgroup.c"
],
"versions": [
{
"version": "6fcd486b3a0a",
"lessThan": "39f8a29330f4",
"status": "affected",
"versionType": "git"
},
{
"version": "6fcd486b3a0a",
"lessThan": "6f5ae91172a9",
"status": "affected",
"versionType": "git"
},
{
"version": "6fcd486b3a0a",
"lessThan": "c58ccdd2483a",
"status": "affected",
"versionType": "git"
},
{
"version": "6fcd486b3a0a",
"lessThan": "0db63c0b86e9",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"kernel/bpf/verifier.c",
"tools/testing/selftests/bpf/progs/bench_local_storage_create.c",
"tools/testing/selftests/bpf/progs/local_storage.c",
"tools/testing/selftests/bpf/progs/lsm_cgroup.c"
],
"versions": [
{
"version": "6.4",
"status": "affected"
},
{
"version": "0",
"lessThan": "6.4",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.6.33",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.8.12",
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.9.3",
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.10",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
]