In the Linux kernel, the following vulnerability has been resolved: bpf: fix end-of-list detection in cgroup_storage_get_next_key() list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace. Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.
| Product | Vendor | Version |
|---|---|---|
| Linux | Linux | 11.5.1-11.6.3 |
| Linux | Linux | 12.1.0-12.1.3 |
| Linux | Linux | < 4.8.1.09320.02 |
| Linux | Linux | < 2.0.50727.8981 |