cve/published/2024/CVE-2024-58088.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-58088: bpf: Fix deadlock when freeing cgroup storage

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf: Fix deadlock when freeing cgroup storage

 The following commit
 bc235cdb423a ("bpf: Prevent deadlock from recursive bpf_task_storage_[get|delete]")
 first introduced deadlock prevention for fentry/fexit programs attaching
 on bpf_task_storage helpers. That commit also employed the logic in map
 free path in its v6 version.

 Later bpf_cgrp_storage was first introduced in
 c4bcfb38a95e ("bpf: Implement cgroup storage available to non-cgroup-attached bpf progs")
 which faces the same issue as bpf_task_storage, instead of its busy
 counter, NULL was passed to bpf_local_storage_map_free() which opened
 a window to cause deadlock:

 	<TASK>
 		(acquiring local_storage->lock)
 	_raw_spin_lock_irqsave+0x3d/0x50
 	bpf_local_storage_update+0xd1/0x460
 	bpf_cgrp_storage_get+0x109/0x130
 	bpf_prog_a4d4a370ba857314_cgrp_ptr+0x139/0x170
 	? __bpf_prog_enter_recur+0x16/0x80
 	bpf_trampoline_6442485186+0x43/0xa4
 	cgroup_storage_ptr+0x9/0x20
 		(holding local_storage->lock)
 	bpf_selem_unlink_storage_nolock.constprop.0+0x135/0x160
 	bpf_selem_unlink_storage+0x6f/0x110
 	bpf_local_storage_map_free+0xa2/0x110
 	bpf_map_free_deferred+0x5b/0x90
 	process_one_work+0x17c/0x390
 	worker_thread+0x251/0x360
 	kthread+0xd2/0x100
 	ret_from_fork+0x34/0x50
 	ret_from_fork_asm+0x1a/0x30
 	</TASK>

 Progs:
  - A: SEC("fentry/cgroup_storage_ptr")
    - cgid (BPF_MAP_TYPE_HASH)
 	Record the id of the cgroup the current task belonging
 	to in this hash map, using the address of the cgroup
 	as the map key.
    - cgrpa (BPF_MAP_TYPE_CGRP_STORAGE)
 	If current task is a kworker, lookup the above hash
 	map using function parameter @owner as the key to get
 	its corresponding cgroup id which is then used to get
 	a trusted pointer to the cgroup through
 	bpf_cgroup_from_id(). This trusted pointer can then
 	be passed to bpf_cgrp_storage_get() to finally trigger
 	the deadlock issue.
  - B: SEC("tp_btf/sys_enter")
    - cgrpb (BPF_MAP_TYPE_CGRP_STORAGE)
 	The only purpose of this prog is to fill Prog A's
 	hash map by calling bpf_cgrp_storage_get() for as
 	many userspace tasks as possible.

 Steps to reproduce:
  - Run A;
  - while (true) { Run B; Destroy B; }

 Fix this issue by passing its busy counter to the free procedure so
 it can be properly incremented before storage/smap locking.

 The Linux kernel CVE team has assigned CVE-2024-58088 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.2 with commit c4bcfb38a95edb1021a53f2d0356a78120ecfbe4 and fixed in 6.6.80 with commit 6ecb9fa14eec5f15d97c84c36896871335f6ddfb
 	Issue introduced in 6.2 with commit c4bcfb38a95edb1021a53f2d0356a78120ecfbe4 and fixed in 6.12.17 with commit fac674d2bd68f3479f27328626b42d1eebd11fef
 	Issue introduced in 6.2 with commit c4bcfb38a95edb1021a53f2d0356a78120ecfbe4 and fixed in 6.13.5 with commit fcec95b4ab3e7bc6b2f36e5d59f7e24104ea87f7
 	Issue introduced in 6.2 with commit c4bcfb38a95edb1021a53f2d0356a78120ecfbe4 and fixed in 6.14 with commit c78f4afbd962f43a3989f45f3ca04300252b19b5

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-58088
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/bpf/bpf_cgrp_storage.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/6ecb9fa14eec5f15d97c84c36896871335f6ddfb
 	https://git.kernel.org/stable/c/fac674d2bd68f3479f27328626b42d1eebd11fef
 	https://git.kernel.org/stable/c/fcec95b4ab3e7bc6b2f36e5d59f7e24104ea87f7
 	https://git.kernel.org/stable/c/c78f4afbd962f43a3989f45f3ca04300252b19b5
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-58088: bpf: Fix deadlock when freeing cgroup storage

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf: Fix deadlock when freeing cgroup storage

	The following commit
	bc235cdb423a ("bpf: Prevent deadlock from recursive bpf_task_storage_[get\|delete]")
	first introduced deadlock prevention for fentry/fexit programs attaching
	on bpf_task_storage helpers. That commit also employed the logic in map
	free path in its v6 version.

	Later bpf_cgrp_storage was first introduced in
	c4bcfb38a95e ("bpf: Implement cgroup storage available to non-cgroup-attached bpf progs")
	which faces the same issue as bpf_task_storage, instead of its busy
	counter, NULL was passed to bpf_local_storage_map_free() which opened
	a window to cause deadlock:

	<TASK>
	(acquiring local_storage->lock)
	_raw_spin_lock_irqsave+0x3d/0x50
	bpf_local_storage_update+0xd1/0x460
	bpf_cgrp_storage_get+0x109/0x130
	bpf_prog_a4d4a370ba857314_cgrp_ptr+0x139/0x170
	? __bpf_prog_enter_recur+0x16/0x80
	bpf_trampoline_6442485186+0x43/0xa4
	cgroup_storage_ptr+0x9/0x20
	(holding local_storage->lock)
	bpf_selem_unlink_storage_nolock.constprop.0+0x135/0x160
	bpf_selem_unlink_storage+0x6f/0x110
	bpf_local_storage_map_free+0xa2/0x110
	bpf_map_free_deferred+0x5b/0x90
	process_one_work+0x17c/0x390
	worker_thread+0x251/0x360
	kthread+0xd2/0x100
	ret_from_fork+0x34/0x50
	ret_from_fork_asm+0x1a/0x30
	</TASK>

	Progs:
	- A: SEC("fentry/cgroup_storage_ptr")
	- cgid (BPF_MAP_TYPE_HASH)
	Record the id of the cgroup the current task belonging
	to in this hash map, using the address of the cgroup
	as the map key.
	- cgrpa (BPF_MAP_TYPE_CGRP_STORAGE)
	If current task is a kworker, lookup the above hash
	map using function parameter @owner as the key to get
	its corresponding cgroup id which is then used to get
	a trusted pointer to the cgroup through
	bpf_cgroup_from_id(). This trusted pointer can then
	be passed to bpf_cgrp_storage_get() to finally trigger
	the deadlock issue.
	- B: SEC("tp_btf/sys_enter")
	- cgrpb (BPF_MAP_TYPE_CGRP_STORAGE)
	The only purpose of this prog is to fill Prog A's
	hash map by calling bpf_cgrp_storage_get() for as
	many userspace tasks as possible.

	Steps to reproduce:
	- Run A;
	- while (true) { Run B; Destroy B; }

	Fix this issue by passing its busy counter to the free procedure so
	it can be properly incremented before storage/smap locking.

	The Linux kernel CVE team has assigned CVE-2024-58088 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.2 with commit c4bcfb38a95edb1021a53f2d0356a78120ecfbe4 and fixed in 6.6.80 with commit 6ecb9fa14eec5f15d97c84c36896871335f6ddfb
	Issue introduced in 6.2 with commit c4bcfb38a95edb1021a53f2d0356a78120ecfbe4 and fixed in 6.12.17 with commit fac674d2bd68f3479f27328626b42d1eebd11fef
	Issue introduced in 6.2 with commit c4bcfb38a95edb1021a53f2d0356a78120ecfbe4 and fixed in 6.13.5 with commit fcec95b4ab3e7bc6b2f36e5d59f7e24104ea87f7
	Issue introduced in 6.2 with commit c4bcfb38a95edb1021a53f2d0356a78120ecfbe4 and fixed in 6.14 with commit c78f4afbd962f43a3989f45f3ca04300252b19b5

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-58088
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/bpf/bpf_cgrp_storage.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/6ecb9fa14eec5f15d97c84c36896871335f6ddfb
	https://git.kernel.org/stable/c/fac674d2bd68f3479f27328626b42d1eebd11fef
	https://git.kernel.org/stable/c/fcec95b4ab3e7bc6b2f36e5d59f7e24104ea87f7
	https://git.kernel.org/stable/c/c78f4afbd962f43a3989f45f3ca04300252b19b5