{"id":"CVE-2024-50161","summary":"bpf: Check the remaining info_cnt before repeating btf fields","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check the remaining info_cnt before repeating btf fields\n\nWhen trying to repeat the btf fields for array of nested struct, it\ndoesn't check the remaining info_cnt. The following splat will be\nreported when the value of ret * nelems is greater than BTF_FIELDS_MAX:\n\n  ------------[ cut here ]------------\n  UBSAN: array-index-out-of-bounds in ../kernel/bpf/btf.c:3951:49\n  index 11 is out of range for type 'btf_field_info [11]'\n  CPU: 6 UID: 0 PID: 411 Comm: test_progs ...... 6.11.0-rc4+ #1\n  Tainted: [O]=OOT_MODULE\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ...\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x57/0x70\n   dump_stack+0x10/0x20\n   ubsan_epilogue+0x9/0x40\n   __ubsan_handle_out_of_bounds+0x6f/0x80\n   ? kallsyms_lookup_name+0x48/0xb0\n   btf_parse_fields+0x992/0xce0\n   map_create+0x591/0x770\n   __sys_bpf+0x229/0x2410\n   __x64_sys_bpf+0x1f/0x30\n   x64_sys_call+0x199/0x9f0\n   do_syscall_64+0x3b/0xc0\n   entry_SYSCALL_64_after_hwframe+0x4b/0x53\n  RIP: 0033:0x7fea56f2cc5d\n  ......\n   \u003c/TASK\u003e\n  ---[ end trace ]---\n\nFix it by checking the remaining info_cnt in btf_repeat_fields() before\nrepeating the btf fields.","modified":"2026-04-02T12:21:18.971874Z","published":"2024-11-07T09:31:38.118Z","related":["USN-7276-1","USN-7277-1","openSUSE-SU-2024:14500-1","openSUSE-SU-2025:14705-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50161.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/6f957d972feee9b385ea3ae6530310a84e55ba71"},{"type":"WEB","url":"https://git.kernel.org/stable/c/797d73ee232dd1833dec4824bc53a22032e97c1c"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50161.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50161"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"64e8ee814819f21beeeda00d4119221443d77992"},{"fixed":"6f957d972feee9b385ea3ae6530310a84e55ba71"},{"fixed":"797d73ee232dd1833dec4824bc53a22032e97c1c"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50161.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}