{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36937", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-30T15:25:07.071Z", "datePublished": "2024-05-30T15:29:26.353Z", "dateUpdated": "2024-11-05T09:28:25.105Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:28:25.105Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: use flags field to disambiguate broadcast redirect\n\nWhen redirecting a packet using XDP, the bpf_redirect_map() helper will set\nup the redirect destination information in struct bpf_redirect_info (using\nthe __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect()\nfunction will read this information after the XDP program returns and pass\nthe frame on to the right redirect destination.\n\nWhen using the BPF_F_BROADCAST flag to do multicast redirect to a whole\nmap, __bpf_xdp_redirect_map() sets the 'map' pointer in struct\nbpf_redirect_info to point to the destination map to be broadcast. And\nxdp_do_redirect() reacts to the value of this map pointer to decide whether\nit's dealing with a broadcast or a single-value redirect. However, if the\ndestination map is being destroyed before xdp_do_redirect() is called, the\nmap pointer will be cleared out (by bpf_clear_redirect_map()) without\nwaiting for any XDP programs to stop running. This causes xdp_do_redirect()\nto think that the redirect was to a single target, but the target pointer\nis also NULL (since broadcast redirects don't have a single target), so\nthis causes a crash when a NULL pointer is passed to dev_map_enqueue().\n\nTo fix this, change xdp_do_redirect() to react directly to the presence of\nthe BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info\nto disambiguate between a single-target and a broadcast redirect. And only\nread the 'map' pointer if the broadcast flag is set, aborting if that has\nbeen cleared out in the meantime. This prevents the crash, while keeping\nthe atomic (cmpxchg-based) clearing of the map pointer itself, and without\nadding any more checks in the non-broadcast fast path."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/core/filter.c"], "versions": [{"version": "e624d4ed4aa8", "lessThan": "12481f30128f", "status": "affected", "versionType": "git"}, {"version": "e624d4ed4aa8", "lessThan": "272bfb019f3c", "status": "affected", "versionType": "git"}, {"version": "e624d4ed4aa8", "lessThan": "e22e25820fa0", "status": "affected", "versionType": "git"}, {"version": "e624d4ed4aa8", "lessThan": "6fd81f9d333e", "status": "affected", "versionType": "git"}, {"version": "e624d4ed4aa8", "lessThan": "5bcf0dcbf906", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/core/filter.c"], "versions": [{"version": "5.14", "status": "affected"}, {"version": "0", "lessThan": "5.14", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.159", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.91", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.31", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.10", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/12481f30128fbebc2eeb55eb2d56390fdfa30c5e"}, {"url": "https://git.kernel.org/stable/c/272bfb019f3cc018f654b992115774e77b4f3ffc"}, {"url": "https://git.kernel.org/stable/c/e22e25820fa04ea5eaac4ef7ee200e9923f466a4"}, {"url": "https://git.kernel.org/stable/c/6fd81f9d333e7b3532036577b1beb74ba1323553"}, {"url": "https://git.kernel.org/stable/c/5bcf0dcbf9066348058b88a510c57f70f384c92c"}], "title": "xdp: use flags field to disambiguate broadcast redirect", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:43:50.646Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/12481f30128fbebc2eeb55eb2d56390fdfa30c5e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/272bfb019f3cc018f654b992115774e77b4f3ffc", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e22e25820fa04ea5eaac4ef7ee200e9923f466a4", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6fd81f9d333e7b3532036577b1beb74ba1323553", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5bcf0dcbf9066348058b88a510c57f70f384c92c", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36937", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:15:48.388446Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:59.643Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/12481f30128fbebc2eeb55eb2d56390fdfa30c5e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/272bfb019f3cc018f654b992115774e77b4f3ffc", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e22e25820fa04ea5eaac4ef7ee200e9923f466a4", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6fd81f9d333e7b3532036577b1beb74ba1323553", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5bcf0dcbf9066348058b88a510c57f70f384c92c", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:43:50.646Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36937", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:15:48.388446Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:27.367Z"}}], "cna": {"title": "xdp: use flags field to disambiguate broadcast redirect", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "e624d4ed4aa8", "lessThan": "12481f30128f", "versionType": "git"}, {"status": "affected", "version": "e624d4ed4aa8", "lessThan": "272bfb019f3c", "versionType": "git"}, {"status": "affected", "version": "e624d4ed4aa8", "lessThan": "e22e25820fa0", "versionType": "git"}, {"status": "affected", "version": "e624d4ed4aa8", "lessThan": "6fd81f9d333e", "versionType": "git"}, {"status": "affected", "version": "e624d4ed4aa8", "lessThan": "5bcf0dcbf906", "versionType": "git"}], "programFiles": ["net/core/filter.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.14"}, {"status": "unaffected", "version": "0", "lessThan": "5.14", "versionType": "custom"}, {"status": "unaffected", "version": "5.15.159", "versionType": "custom", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.91", "versionType": "custom", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.31", "versionType": "custom", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.8.10", "versionType": "custom", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/core/filter.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/12481f30128fbebc2eeb55eb2d56390fdfa30c5e"}, {"url": "https://git.kernel.org/stable/c/272bfb019f3cc018f654b992115774e77b4f3ffc"}, {"url": "https://git.kernel.org/stable/c/e22e25820fa04ea5eaac4ef7ee200e9923f466a4"}, {"url": "https://git.kernel.org/stable/c/6fd81f9d333e7b3532036577b1beb74ba1323553"}, {"url": "https://git.kernel.org/stable/c/5bcf0dcbf9066348058b88a510c57f70f384c92c"}], "x_generator": {"engine": "bippy-a5840b7849dd"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: use flags field to disambiguate broadcast redirect\n\nWhen redirecting a packet using XDP, the bpf_redirect_map() helper will set\nup the redirect destination information in struct bpf_redirect_info (using\nthe __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect()\nfunction will read this information after the XDP program returns and pass\nthe frame on to the right redirect destination.\n\nWhen using the BPF_F_BROADCAST flag to do multicast redirect to a whole\nmap, __bpf_xdp_redirect_map() sets the 'map' pointer in struct\nbpf_redirect_info to point to the destination map to be broadcast. And\nxdp_do_redirect() reacts to the value of this map pointer to decide whether\nit's dealing with a broadcast or a single-value redirect. However, if the\ndestination map is being destroyed before xdp_do_redirect() is called, the\nmap pointer will be cleared out (by bpf_clear_redirect_map()) without\nwaiting for any XDP programs to stop running. This causes xdp_do_redirect()\nto think that the redirect was to a single target, but the target pointer\nis also NULL (since broadcast redirects don't have a single target), so\nthis causes a crash when a NULL pointer is passed to dev_map_enqueue().\n\nTo fix this, change xdp_do_redirect() to react directly to the presence of\nthe BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info\nto disambiguate between a single-target and a broadcast redirect. And only\nread the 'map' pointer if the broadcast flag is set, aborting if that has\nbeen cleared out in the meantime. This prevents the crash, while keeping\nthe atomic (cmpxchg-based) clearing of the map pointer itself, and without\nadding any more checks in the non-broadcast fast path."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-30T15:29:26.353Z"}}}, "cveMetadata": {"cveId": "CVE-2024-36937", "state": "PUBLISHED", "dateUpdated": "2024-09-11T17:34:59.643Z", "dateReserved": "2024-05-30T15:25:07.071Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-30T15:29:26.353Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: use flags field to disambiguate broadcast redirect\n\nWhen redirecting a packet using XDP, the bpf_redirect_map() helper will set\nup the redirect destination information in struct bpf_redirect_info (using\nthe __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect()\nfunction will read this information after the XDP program returns and pass\nthe frame on to the right redirect destination.\n\nWhen using the BPF_F_BROADCAST flag to do multicast redirect to a whole\nmap, __bpf_xdp_redirect_map() sets the 'map' pointer in struct\nbpf_redirect_info to point to the destination map to be broadcast. And\nxdp_do_redirect() reacts to the value of this map pointer to decide whether\nit's dealing with a broadcast or a single-value redirect. However, if the\ndestination map is being destroyed before xdp_do_redirect() is called, the\nmap pointer will be cleared out (by bpf_clear_redirect_map()) without\nwaiting for any XDP programs to stop running. This causes xdp_do_redirect()\nto think that the redirect was to a single target, but the target pointer\nis also NULL (since broadcast redirects don't have a single target), so\nthis causes a crash when a NULL pointer is passed to dev_map_enqueue().\n\nTo fix this, change xdp_do_redirect() to react directly to the presence of\nthe BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info\nto disambiguate between a single-target and a broadcast redirect. And only\nread the 'map' pointer if the broadcast flag is set, aborting if that has\nbeen cleared out in the meantime. This prevents the crash, while keeping\nthe atomic (cmpxchg-based) clearing of the map pointer itself, and without\nadding any more checks in the non-broadcast fast path."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: xdp: use el campo flags para eliminar la ambig\u00fcedad de la redirecci\u00f3n de transmisi\u00f3n Al redireccionar un paquete usando XDP, el asistente bpf_redirect_map() configurar\u00e1 la informaci\u00f3n del destino de redireccionamiento en la estructura bpf_redirect_info (usando el asistente __bpf_xdp_redirect_map() funci\u00f3n), y la funci\u00f3n xdp_do_redirect() leer\u00e1 esta informaci\u00f3n despu\u00e9s de que el programa XDP regrese y pasar\u00e1 el framework al destino de redireccionamiento correcto. Cuando se utiliza el indicador BPF_F_BROADCAST para realizar una redirecci\u00f3n de multidifusi\u00f3n a un mapa completo, __bpf_xdp_redirect_map() establece el puntero 'mapa' en la estructura bpf_redirect_info para que apunte al mapa de destino que se va a transmitir. Y xdp_do_redirect() reacciona al valor de este puntero de mapa para decidir si se trata de una transmisi\u00f3n o una redirecci\u00f3n de valor \u00fanico. Sin embargo, si el mapa de destino se destruye antes de llamar a xdp_do_redirect(), el puntero del mapa se borrar\u00e1 (mediante bpf_clear_redirect_map()) sin esperar a que deje de ejecutarse ning\u00fan programa XDP. Esto hace que xdp_do_redirect() piense que la redirecci\u00f3n fue a un \u00fanico objetivo, pero el puntero de destino tambi\u00e9n es NULL (dado que las redirecciones de difusi\u00f3n no tienen un \u00fanico objetivo), por lo que esto provoca un bloqueo cuando se pasa un puntero NULL a dev_map_enqueue( ). Para solucionar este problema, cambie xdp_do_redirect() para reaccionar directamente a la presencia del indicador BPF_F_BROADCAST en el valor 'flags' en la estructura bpf_redirect_info para eliminar la ambig\u00fcedad entre un redireccionamiento de destino \u00fanico y de transmisi\u00f3n. Y solo lea el puntero del 'mapa' si la bandera de transmisi\u00f3n est\u00e1 activada, abortando si se ha borrado mientras tanto. Esto evita el bloqueo, manteniendo al mismo tiempo la limpieza at\u00f3mica (basada en cmpxchg) del puntero del mapa y sin agregar m\u00e1s comprobaciones en la ruta r\u00e1pida sin transmisi\u00f3n."}], "id": "CVE-2024-36937", "lastModified": "2024-11-21T09:22:51.593", "metrics": {}, "published": "2024-05-30T16:15:16.797", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/12481f30128fbebc2eeb55eb2d56390fdfa30c5e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/272bfb019f3cc018f654b992115774e77b4f3ffc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5bcf0dcbf9066348058b88a510c57f70f384c92c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6fd81f9d333e7b3532036577b1beb74ba1323553"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e22e25820fa04ea5eaac4ef7ee200e9923f466a4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/12481f30128fbebc2eeb55eb2d56390fdfa30c5e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/272bfb019f3cc018f654b992115774e77b4f3ffc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/5bcf0dcbf9066348058b88a510c57f70f384c92c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/6fd81f9d333e7b3532036577b1beb74ba1323553"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/e22e25820fa04ea5eaac4ef7ee200e9923f466a4"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: xdp: use flags field to disambiguate broadcast redirect", "id": "2284481", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2284481"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nxdp: use flags field to disambiguate broadcast redirect\nWhen redirecting a packet using XDP, the bpf_redirect_map() helper will set\nup the redirect destination information in struct bpf_redirect_info (using\nthe __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect()\nfunction will read this information after the XDP program returns and pass\nthe frame on to the right redirect destination.\nWhen using the BPF_F_BROADCAST flag to do multicast redirect to a whole\nmap, __bpf_xdp_redirect_map() sets the 'map' pointer in struct\nbpf_redirect_info to point to the destination map to be broadcast. And\nxdp_do_redirect() reacts to the value of this map pointer to decide whether\nit's dealing with a broadcast or a single-value redirect. However, if the\ndestination map is being destroyed before xdp_do_redirect() is called, the\nmap pointer will be cleared out (by bpf_clear_redirect_map()) without\nwaiting for any XDP programs to stop running. This causes xdp_do_redirect()\nto think that the redirect was to a single target, but the target pointer\nis also NULL (since broadcast redirects don't have a single target), so\nthis causes a crash when a NULL pointer is passed to dev_map_enqueue().\nTo fix this, change xdp_do_redirect() to react directly to the presence of\nthe BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info\nto disambiguate between a single-target and a broadcast redirect. And only\nread the 'map' pointer if the broadcast flag is set, aborting if that has\nbeen cleared out in the meantime. This prevents the crash, while keeping\nthe atomic (cmpxchg-based) clearing of the map pointer itself, and without\nadding any more checks in the non-broadcast fast path."], "name": "CVE-2024-36937", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Under investigation", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Under investigation", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-36937\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-36937\nhttps://lore.kernel.org/linux-cve-announce/2024053042-CVE-2024-36937-be12@gregkh/T"], "threat_severity": "Low", "upstream_fix": "kernel 5.15.159, kernel 6.1.91, kernel 6.6.31, kernel 6.8.10, kernel 6.9"}