cve/published/2024/CVE-2024-58070.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-58070: bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT

 In PREEMPT_RT, kmalloc(GFP_ATOMIC) is still not safe in non preemptible
 context. bpf_mem_alloc must be used in PREEMPT_RT. This patch is
 to enforce bpf_mem_alloc in the bpf_local_storage when CONFIG_PREEMPT_RT
 is enabled.

 [   35.118559] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
 [   35.118566] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1832, name: test_progs
 [   35.118569] preempt_count: 1, expected: 0
 [   35.118571] RCU nest depth: 1, expected: 1
 [   35.118577] INFO: lockdep is turned off.
     ...
 [   35.118647]  __might_resched+0x433/0x5b0
 [   35.118677]  rt_spin_lock+0xc3/0x290
 [   35.118700]  ___slab_alloc+0x72/0xc40
 [   35.118723]  __kmalloc_noprof+0x13f/0x4e0
 [   35.118732]  bpf_map_kzalloc+0xe5/0x220
 [   35.118740]  bpf_selem_alloc+0x1d2/0x7b0
 [   35.118755]  bpf_local_storage_update+0x2fa/0x8b0
 [   35.118784]  bpf_sk_storage_get_tracing+0x15a/0x1d0
 [   35.118791]  bpf_prog_9a118d86fca78ebb_trace_inet_sock_set_state+0x44/0x66
 [   35.118795]  bpf_trace_run3+0x222/0x400
 [   35.118820]  __bpf_trace_inet_sock_set_state+0x11/0x20
 [   35.118824]  trace_inet_sock_set_state+0x112/0x130
 [   35.118830]  inet_sk_state_store+0x41/0x90
 [   35.118836]  tcp_set_state+0x3b3/0x640

 There is no need to adjust the gfp_flags passing to the
 bpf_mem_cache_alloc_flags() which only honors the GFP_KERNEL.
 The verifier has ensured GFP_KERNEL is passed only in sleepable context.

 It has been an old issue since the first introduction of the
 bpf_local_storage ~5 years ago, so this patch targets the bpf-next.

 bpf_mem_alloc is needed to solve it, so the Fixes tag is set
 to the commit when bpf_mem_alloc was first used in the bpf_local_storage.

 The Linux kernel CVE team has assigned CVE-2024-58070 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.4 with commit 08a7ce384e33e53e0732c500a8af67a73f8fceca and fixed in 6.6.76 with commit 3392fa605d7c5708c5fbe02e4fbdac547c3b7352
 	Issue introduced in 6.4 with commit 08a7ce384e33e53e0732c500a8af67a73f8fceca and fixed in 6.12.13 with commit b0027500000dfcb8ee952557d565064cea22c43e
 	Issue introduced in 6.4 with commit 08a7ce384e33e53e0732c500a8af67a73f8fceca and fixed in 6.13.2 with commit c1d398a3af7e59d7fef351c84fed7ebb575d1f1a
 	Issue introduced in 6.4 with commit 08a7ce384e33e53e0732c500a8af67a73f8fceca and fixed in 6.14 with commit 8eef6ac4d70eb1f0099fff93321d90ce8fa49ee1

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-58070
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/bpf/bpf_local_storage.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/3392fa605d7c5708c5fbe02e4fbdac547c3b7352
 	https://git.kernel.org/stable/c/b0027500000dfcb8ee952557d565064cea22c43e
 	https://git.kernel.org/stable/c/c1d398a3af7e59d7fef351c84fed7ebb575d1f1a
 	https://git.kernel.org/stable/c/8eef6ac4d70eb1f0099fff93321d90ce8fa49ee1
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-58070: bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT

	In PREEMPT_RT, kmalloc(GFP_ATOMIC) is still not safe in non preemptible
	context. bpf_mem_alloc must be used in PREEMPT_RT. This patch is
	to enforce bpf_mem_alloc in the bpf_local_storage when CONFIG_PREEMPT_RT
	is enabled.

	[ 35.118559] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
	[ 35.118566] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1832, name: test_progs
	[ 35.118569] preempt_count: 1, expected: 0
	[ 35.118571] RCU nest depth: 1, expected: 1
	[ 35.118577] INFO: lockdep is turned off.
	...
	[ 35.118647] __might_resched+0x433/0x5b0
	[ 35.118677] rt_spin_lock+0xc3/0x290
	[ 35.118700] ___slab_alloc+0x72/0xc40
	[ 35.118723] __kmalloc_noprof+0x13f/0x4e0
	[ 35.118732] bpf_map_kzalloc+0xe5/0x220
	[ 35.118740] bpf_selem_alloc+0x1d2/0x7b0
	[ 35.118755] bpf_local_storage_update+0x2fa/0x8b0
	[ 35.118784] bpf_sk_storage_get_tracing+0x15a/0x1d0
	[ 35.118791] bpf_prog_9a118d86fca78ebb_trace_inet_sock_set_state+0x44/0x66
	[ 35.118795] bpf_trace_run3+0x222/0x400
	[ 35.118820] __bpf_trace_inet_sock_set_state+0x11/0x20
	[ 35.118824] trace_inet_sock_set_state+0x112/0x130
	[ 35.118830] inet_sk_state_store+0x41/0x90
	[ 35.118836] tcp_set_state+0x3b3/0x640

	There is no need to adjust the gfp_flags passing to the
	bpf_mem_cache_alloc_flags() which only honors the GFP_KERNEL.
	The verifier has ensured GFP_KERNEL is passed only in sleepable context.

	It has been an old issue since the first introduction of the
	bpf_local_storage ~5 years ago, so this patch targets the bpf-next.

	bpf_mem_alloc is needed to solve it, so the Fixes tag is set
	to the commit when bpf_mem_alloc was first used in the bpf_local_storage.

	The Linux kernel CVE team has assigned CVE-2024-58070 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.4 with commit 08a7ce384e33e53e0732c500a8af67a73f8fceca and fixed in 6.6.76 with commit 3392fa605d7c5708c5fbe02e4fbdac547c3b7352
	Issue introduced in 6.4 with commit 08a7ce384e33e53e0732c500a8af67a73f8fceca and fixed in 6.12.13 with commit b0027500000dfcb8ee952557d565064cea22c43e
	Issue introduced in 6.4 with commit 08a7ce384e33e53e0732c500a8af67a73f8fceca and fixed in 6.13.2 with commit c1d398a3af7e59d7fef351c84fed7ebb575d1f1a
	Issue introduced in 6.4 with commit 08a7ce384e33e53e0732c500a8af67a73f8fceca and fixed in 6.14 with commit 8eef6ac4d70eb1f0099fff93321d90ce8fa49ee1

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-58070
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/bpf/bpf_local_storage.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/3392fa605d7c5708c5fbe02e4fbdac547c3b7352
	https://git.kernel.org/stable/c/b0027500000dfcb8ee952557d565064cea22c43e
	https://git.kernel.org/stable/c/c1d398a3af7e59d7fef351c84fed7ebb575d1f1a
	https://git.kernel.org/stable/c/8eef6ac4d70eb1f0099fff93321d90ce8fa49ee1