| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix UAF due to race between btf_try_get_module and load_module\n\nWhile working on code to populate kfunc BTF ID sets for module BTF from\nits initcall, I noticed that by the time the initcall is invoked, the\nmodule BTF can already be seen by userspace (and the BPF verifier). The\nexisting btf_try_get_module calls try_module_get which only fails if\nmod->state == MODULE_STATE_GOING, i.e. it can increment module reference\nwhen module initcall is happening in parallel.\n\nCurrently, BTF parsing happens from MODULE_STATE_COMING notifier\ncallback. At this point, the module initcalls have not been invoked.\nThe notifier callback parses and prepares the module BTF, allocates an\nID, which publishes it to userspace, and then adds it to the btf_modules\nlist allowing the kernel to invoke btf_try_get_module for the BTF.\n\nHowever, at this point, the module has not been fully initialized (i.e.\nits initcalls have not finished). The code in module.c can still fail\nand free the module, without caring for other users. However, nothing\nstops btf_try_get_module from succeeding between the state transition\nfrom MODULE_STATE_COMING to MODULE_STATE_LIVE.\n\nThis leads to a use-after-free issue when BPF program loads\nsuccessfully in the state transition, load_module's do_init_module call\nfails and frees the module, and BPF program fd on close calls module_put\nfor the freed module. Future patch has test case to verify we don't\nregress in this area in future.\n\nThere are multiple points after prepare_coming_module (in load_module)\nwhere failure can occur and module loading can return error. We\nillustrate and test for the race using the last point where it can\npractically occur (in module __init function).\n\nAn illustration of the race:\n\nCPU 0 CPU 1\n\t\t\t load_module\n\t\t\t notifier_call(MODULE_STATE_COMING)\n\t\t\t btf_parse_module\n\t\t\t btf_alloc_id\t// Published to userspace\n\t\t\t list_add(&btf_mod->list, btf_modules)\n\t\t\t mod->init(...)\n...\t\t\t\t^\nbpf_check\t\t |\ncheck_pseudo_btf_id |\n btf_try_get_module |\n returns true | ...\n... | module __init in progress\nreturn prog_fd | ...\n... V\n\t\t\t if (ret < 0)\n\t\t\t free_module(mod)\n\t\t\t ...\nclose(prog_fd)\n ...\n bpf_prog_free_deferred\n module_put(used_btf.mod) // use-after-free\n\nWe fix this issue by setting a flag BTF_MODULE_F_LIVE, from the notifier\ncallback when MODULE_STATE_LIVE state is reached for the module, so that\nwe return NULL from btf_try_get_module for modules that are not fully\nformed. Since try_module_get already checks that module is not in\nMODULE_STATE_GOING state, and that is the only transition a live module\ncan make before being removed from btf_modules list, this is enough to\nclose the race and prevent the bug.\n\nA later selftest patch crafts the race condition artifically to verify\nthat it has been fixed, and that verifier fails to load program (with\nENXIO).\n\nLastly, a couple of comments:\n\n 1. Even if this race didn't exist, it seems more appropriate to only\n access resources (ksyms and kfuncs) of a fully formed module which\n has been initialized completely.\n\n 2. This patch was born out of need for synchronization against module\n initcall for the next patch, so it is needed for correctness even\n without the aforementioned race condition. The BTF resources\n initialized by module initcall are set up once and then only looked\n up, so just waiting until the initcall has finished ensures correct\n behavior." |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "kernel/bpf/btf.c" |
| ], |
| "versions": [ |
| { |
| "version": "541c3bad8dc51b253ba8686d0cd7628e6b9b5f4c", |
| "lessThan": "51b82141fffa454abf937a8ff0b8af89e4fd0c8f", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "541c3bad8dc51b253ba8686d0cd7628e6b9b5f4c", |
| "lessThan": "d7fccf264b1a785525b366a5b7f8113c756187ad", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "541c3bad8dc51b253ba8686d0cd7628e6b9b5f4c", |
| "lessThan": "0481baa2318cb1ab13277715da6cdbb657807b3f", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "541c3bad8dc51b253ba8686d0cd7628e6b9b5f4c", |
| "lessThan": "18688de203b47e5d8d9d0953385bf30b5949324f", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "kernel/bpf/btf.c" |
| ], |
| "versions": [ |
| { |
| "version": "5.12", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "5.12", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.15.33", |
| "lessThanOrEqual": "5.15.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.16.19", |
| "lessThanOrEqual": "5.16.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.17.2", |
| "lessThanOrEqual": "5.17.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.18", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.12", |
| "versionEndExcluding": "5.15.33" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.12", |
| "versionEndExcluding": "5.16.19" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.12", |
| "versionEndExcluding": "5.17.2" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.12", |
| "versionEndExcluding": "5.18" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/51b82141fffa454abf937a8ff0b8af89e4fd0c8f" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/d7fccf264b1a785525b366a5b7f8113c756187ad" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/0481baa2318cb1ab13277715da6cdbb657807b3f" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/18688de203b47e5d8d9d0953385bf30b5949324f" |
| } |
| ], |
| "title": "bpf: Fix UAF due to race between btf_try_get_module and load_module", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2022-49236", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
