CVE-2024-47794: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-47794 addresses a vulnerability in the Linux kernel related to an infinite loop issue that occurs when using a combination of tail calls and freplace functionality. The vulnerability was discovered and disclosed on January 11, 2025, affecting the Linux kernel's BPF (Berkeley Packet Filter) subsystem (NVD, Debian Tracker).

The vulnerability stems from an infinite loop condition that occurs in the BPF subsystem when combining tail calls with freplace operations. The issue manifests when the attach target for entry_freplace of tailcall_freplace.c is subprog_tc of tc_bpf2bpf.c, while the tail call in entry_freplace leads to entry_tc. This creates an infinite loop pattern: entry_tc -> subprog_tc -> entry_freplace --tailcall-> entry_tc. The problem occurs because the tail_call_cnt in entry_freplace resets to zero each time entry_freplace is executed, preventing the tail call mechanism from terminating (Kernel Commit). According to Red Hat's assessment, this vulnerability has been assigned a CVSS v3.1 score of 4.4 (AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) (Red Hat XML).

The vulnerability can lead to a kernel panic due to the infinite loop condition, potentially causing system instability or denial of service. The impact is somewhat limited as it requires privileged access (CAP_SYS_ADMIN or root) to exploit, as unprivileged users are prevented from using eBPF by default through the kernel.unprivileged_bpf_disabled sysctl setting (Red Hat XML).

The fix implements a two-fold solution: 1) Preventing updates to a program extended by a freplace program to a prog_array map, and 2) Preventing the extension of a program that is already part of a prog_array map with a freplace program. Additionally, the fix returns -EINVAL if the program has a type of BPF_PROG_TYPE_EXT when adding it to a prog_array map (Kernel Commit).