| From bippy-1.1.0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@kernel.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2023-52621: bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers |
| |
| These three bpf_map_{lookup,update,delete}_elem() helpers are also |
| available for sleepable bpf program, so add the corresponding lock |
| assertion for sleepable bpf program, otherwise the following warning |
| will be reported when a sleepable bpf program manipulates bpf map under |
| interpreter mode (aka bpf_jit_enable=0): |
| |
| WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ...... |
| CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2 |
| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... |
| RIP: 0010:bpf_map_lookup_elem+0x54/0x60 |
| ...... |
| Call Trace: |
| <TASK> |
| ? __warn+0xa5/0x240 |
| ? bpf_map_lookup_elem+0x54/0x60 |
| ? report_bug+0x1ba/0x1f0 |
| ? handle_bug+0x40/0x80 |
| ? exc_invalid_op+0x18/0x50 |
| ? asm_exc_invalid_op+0x1b/0x20 |
| ? __pfx_bpf_map_lookup_elem+0x10/0x10 |
| ? rcu_lockdep_current_cpu_online+0x65/0xb0 |
| ? rcu_is_watching+0x23/0x50 |
| ? bpf_map_lookup_elem+0x54/0x60 |
| ? __pfx_bpf_map_lookup_elem+0x10/0x10 |
| ___bpf_prog_run+0x513/0x3b70 |
| __bpf_prog_run32+0x9d/0xd0 |
| ? __bpf_prog_enter_sleepable_recur+0xad/0x120 |
| ? __bpf_prog_enter_sleepable_recur+0x3e/0x120 |
| bpf_trampoline_6442580665+0x4d/0x1000 |
| __x64_sys_getpgid+0x5/0x30 |
| ? do_syscall_64+0x36/0xb0 |
| entry_SYSCALL_64_after_hwframe+0x6e/0x76 |
| </TASK> |
| |
| The Linux kernel CVE team has assigned CVE-2023-52621 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 5.10.237 with commit 82f2df94dac1aa9b879e74d1f82ba1b631bdc612 |
| Fixed in 5.15.181 with commit 3516f93cc63d956e1b290ae4b7bf2586074535a0 |
| Fixed in 6.1.77 with commit d6d6fe4bb105595118f12abeed4a7bdd450853f3 |
| Fixed in 6.6.16 with commit 483cb92334cd7f1d5387dccc0ab5d595d27a669d |
| Fixed in 6.7.4 with commit c7f1b6146f4a46d727c0d046284c28b6882c6304 |
| Fixed in 6.8 with commit 169410eba271afc9f0fb476d996795aa26770c6d |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2023-52621 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| kernel/bpf/helpers.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/82f2df94dac1aa9b879e74d1f82ba1b631bdc612 |
| https://git.kernel.org/stable/c/3516f93cc63d956e1b290ae4b7bf2586074535a0 |
| https://git.kernel.org/stable/c/d6d6fe4bb105595118f12abeed4a7bdd450853f3 |
| https://git.kernel.org/stable/c/483cb92334cd7f1d5387dccc0ab5d595d27a669d |
| https://git.kernel.org/stable/c/c7f1b6146f4a46d727c0d046284c28b6882c6304 |
| https://git.kernel.org/stable/c/169410eba271afc9f0fb476d996795aa26770c6d |
