CVE-2025-40123
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: Enforce expected_attach_type for tailcall compatibility
Yinhao et al. recently reported:
Our fuzzer tool discovered an uninitialized pointer issue in the bpf_prog_test_run_xdp() function within the Linux kernel's BPF subsystem. This leads to a NULL pointer dereference when a BPF program attempts to deference the txq member of struct xdp_buff object.
The test initializes two programs of BPF_PROG_TYPE_XDP: progA acts as the entry point for bpf_prog_test_run_xdp() and its expected_attach_type can neither be of be BPF_XDP_DEVMAP nor BPF_XDP_CPUMAP. progA calls into a slot of a tailcall map it owns. progB's expected_attach_type must be BPF_XDP_DEVMAP to pass xdp_is_valid_access() validation. The program returns struct xdp_md's egress_ifindex, and the latter is only allowed to be accessed under mentioned expected_attach_type. progB is then inserted into the tailcall which progA calls.
The underlying issue goes beyond XDP though. Another example are programs of type BPF_PROG_TYPE_CGROUP_SOCK_ADDR. sock_addr_is_valid_access() as well as sock_addr_func_proto() have different logic depending on the programs' expected_attach_type. Similarly, a program attached to BPF_CGROUP_INET4_GETPEERNAME should not be allowed doing a tailcall into a program which calls bpf_bind() out of BPF which is only enabled for BPF_CGROUP_INET4_CONNECT.
In short, specifying expected_attach_type allows to open up additional functionality or restrictions beyond what the basic bpf_prog_type enables. The use of tailcalls must not violate these constraints. Fix it by enforcing expected_attach_type in __bpf_prog_map_compatible().
Note that we only enforce this for tailcall maps, but not for BPF devmaps or cpumaps: There, the programs are invoked through dev_map_bpf_prog_run*() and cpu_map_bpf_prog_run*() which set up a new environment / context and therefore these situations are not prone to this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
82- osv-coords81 versionspkg:linux/kernelpkg:rpm/opensuse/dtb-aarch64&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-64kb&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-azure&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-default-base&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-default&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-docs&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-kvmsmall&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-obs-build&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-obs-qa&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-rt&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-source&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-syms&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-zfcpdump&distro=openSUSE%20Leap%2016.0pkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7pkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-azure&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP7pkg:rpm/suse/kernel-azure&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-azure&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP7pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2016.0pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2012%20SP5pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP7pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Legacy%2015%20SP7pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP7pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7pkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-kvmsmall&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-kvmsmall&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-kvmsmall&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-kvmsmall&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-livepatch-SLE15-SP7-RT_Update_8&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP7pkg:rpm/suse/kernel-livepatch-SLE15-SP7_Update_8&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP7pkg:rpm/suse/kernel-obs-build&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7pkg:rpm/suse/kernel-obs-qa&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-obs-qa&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP7pkg:rpm/suse/kernel-source-azure&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP7pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP7pkg:rpm/suse/kernel-syms-azure&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP7pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/kernel-syms-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP7pkg:rpm/suse/kernel-zfcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7pkg:rpm/suse/kernel-zfcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/kernel-zfcpdump&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/kgraft-patch-SLE12-SP5_Update_76&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2012%20SP5
>= 4.17.0, < 6.1.156+ 80 more
- (no CPE)range: >= 4.17.0, < 6.1.156
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1.160000.2.6
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.4.0-150700.53.28.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.4.0-150700.20.24.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.4.0-150700.53.28.1.150700.17.19.1
- (no CPE)range: < 6.12.0-160000.9.1.160000.2.6
- (no CPE)range: < 6.12.0-160000.9.1.160000.2.6
- (no CPE)range: < 6.4.0-39.1.21.16
- (no CPE)range: < 6.4.0-39.1.21.16
- (no CPE)range: < 6.12.0-160000.9.1.160000.2.6
- (no CPE)range: < 6.4.0-150700.53.28.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 4.12.14-122.290.1
- (no CPE)range: < 6.4.0-150700.53.28.1
- (no CPE)range: < 6.4.0-150700.53.28.1
- (no CPE)range: < 6.4.0-150700.53.28.1
- (no CPE)range: < 4.12.14-122.290.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 4.12.14-122.290.1
- (no CPE)range: < 6.4.0-150700.53.28.1
- (no CPE)range: < 6.4.0-39.1
- (no CPE)range: < 6.4.0-39.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.4.0-150700.53.28.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.4.0-39.1
- (no CPE)range: < 6.4.0-39.1
- (no CPE)range: < 1-150700.1.3.1
- (no CPE)range: < 1-150700.15.3.1
- (no CPE)range: < 6.4.0-150700.53.28.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.4.0-40.1
- (no CPE)range: < 6.4.0-40.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.4.0-150700.7.28.1
- (no CPE)range: < 6.4.0-150700.20.24.1
- (no CPE)range: < 6.4.0-150700.53.28.1
- (no CPE)range: < 6.4.0-150700.53.28.1
- (no CPE)range: < 4.12.14-122.290.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 4.12.14-122.290.1
- (no CPE)range: < 6.4.0-39.1
- (no CPE)range: < 6.4.0-39.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.4.0-40.1
- (no CPE)range: < 6.4.0-40.1
- (no CPE)range: < 6.4.0-150700.7.28.1
- (no CPE)range: < 6.4.0-150700.20.24.1
- (no CPE)range: < 6.4.0-150700.53.28.1
- (no CPE)range: < 4.12.14-122.290.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 4.12.14-122.290.1
- (no CPE)range: < 6.4.0-150700.7.28.1
- (no CPE)range: < 6.4.0-150700.53.28.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 6.12.0-160000.9.1
- (no CPE)range: < 1-8.7.1
Patches
Vulnerability mechanics
References
5- git.kernel.org/stable/c/08cb3dc9d2b44f153d0bcf2cb966e4a94b5d0f32nvd
- git.kernel.org/stable/c/4540aed51b12bc13364149bf95f6ecef013197c0nvd
- git.kernel.org/stable/c/a99de19128aec0913f3d529f529fbbff5edfaff8nvd
- git.kernel.org/stable/c/c1ad19b5d8e23123503dcaf2d4342e1b90b923adnvd
- git.kernel.org/stable/c/f856c598080ba7ce1252867b8ecd6ad5bdaf9a6anvd
News mentions
0No linked articles in our index yet.