{"id":"CVE-2024-53125","summary":"bpf: sync_linked_regs() must preserve subreg_def","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: sync_linked_regs() must preserve subreg_def\n\nRange propagation must not affect subreg_def marks, otherwise the\nfollowing example is rewritten by verifier incorrectly when\nBPF_F_TEST_RND_HI32 flag is set:\n\n  0: call bpf_ktime_get_ns                   call bpf_ktime_get_ns\n  1: r0 &= 0x7fffffff       after verifier   r0 &= 0x7fffffff\n  2: w1 = w0                rewrites         w1 = w0\n  3: if w0 \u003c 10 goto +0     --------------\u003e  r11 = 0x2f5674a6     (r)\n  4: r1 \u003e\u003e= 32                               r11 \u003c\u003c= 32           (r)\n  5: r0 = r1                                 r1 |= r11            (r)\n  6: exit;                                   if w0 \u003c 0xa goto pc+0\n                                             r1 \u003e\u003e= 32\n                                             r0 = r1\n                                             exit\n\n(or zero extension of w1 at (2) is missing for architectures that\n require zero extension for upper register half).\n\nThe following happens w/o this patch:\n- r0 is marked as not a subreg at (0);\n- w1 is marked as subreg at (2);\n- w1 subreg_def is overridden at (3) by copy_register_state();\n- w1 is read at (5) but mark_insn_zext() does not mark (2)\n  for zero extension, because w1 subreg_def is not set;\n- because of BPF_F_TEST_RND_HI32 flag verifier inserts random\n  value for hi32 bits of (2) (marked (r));\n- this random value is read at (5).","modified":"2026-04-03T13:14:27.352309Z","published":"2024-12-04T14:11:09.326Z","related":["SUSE-SU-2025:0117-1","SUSE-SU-2025:0153-1","SUSE-SU-2025:0154-1","SUSE-SU-2025:0201-1","SUSE-SU-2025:0201-2","SUSE-SU-2025:02264-1","SUSE-SU-2025:0229-1","SUSE-SU-2025:02321-1","SUSE-SU-2025:02322-1","SUSE-SU-2025:02537-1","SUSE-SU-2025:02601-1","SUSE-SU-2025:02610-1","SUSE-SU-2025:02611-1","SUSE-SU-2025:02632-1","SUSE-SU-2025:02636-1","SUSE-SU-2025:02638-1","SUSE-SU-2025:02647-1","SUSE-SU-2025:02652-1","SUSE-SU-2025:02688-1","SUSE-SU-2025:02691-1","SUSE-SU-2025:02698-1","SUSE-SU-2025:02708-1","SUSE-SU-2025:0289-1","SUSE-SU-2025:03301-1","SUSE-SU-2025:03602-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20165-1","SUSE-SU-2025:20166-1","SUSE-SU-2025:20248-1","SUSE-SU-2025:20249-1","SUSE-SU-2025:20568-1","SUSE-SU-2025:20575-1","SUSE-SU-2025:20576-1","SUSE-SU-2025:20578-1","SUSE-SU-2025:20579-1","SUSE-SU-2025:20584-1","SUSE-SU-2025:20610-1","SUSE-SU-2025:20611-1","SUSE-SU-2025:20620-1","SUSE-SU-2025:20625-1","USN-7276-1","USN-7277-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/53xxx/CVE-2024-53125.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/60fd3538d2a8fd44c41d25088c0ece3e1fd30659"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b57ac2d92c1f565743f6890a5b9cf317ed856b09"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bfe9446ea1d95f6cb7848da19dfd58d2eec6fd84"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dadf82c1b2608727bcc306843b540cd7414055a7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e2ef0f317a52e678fe8fa84b94d6a15b466d6ff0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e9bd9c498cb0f5843996dbe5cbce7a1836a83c70"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/53xxx/CVE-2024-53125.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53125"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"75748837b7e56919679e02163f45d5818c644d03"},{"fixed":"dadf82c1b2608727bcc306843b540cd7414055a7"},{"fixed":"b57ac2d92c1f565743f6890a5b9cf317ed856b09"},{"fixed":"60fd3538d2a8fd44c41d25088c0ece3e1fd30659"},{"fixed":"bfe9446ea1d95f6cb7848da19dfd58d2eec6fd84"},{"fixed":"e2ef0f317a52e678fe8fa84b94d6a15b466d6ff0"},{"fixed":"e9bd9c498cb0f5843996dbe5cbce7a1836a83c70"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-53125.json"}}],"schema_version":"1.7.5"}