cve/published/2024/CVE-2024-35860.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35860: bpf: support deferring bpf_link dealloc to after RCU grace period

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf: support deferring bpf_link dealloc to after RCU grace period

 BPF link for some program types is passed as a "context" which can be
 used by those BPF programs to look up additional information. E.g., for
 multi-kprobes and multi-uprobes, link is used to fetch BPF cookie values.

 Because of this runtime dependency, when bpf_link refcnt drops to zero
 there could still be active BPF programs running accessing link data.

 This patch adds generic support to defer bpf_link dealloc callback to
 after RCU GP, if requested. This is done by exposing two different
 deallocation callbacks, one synchronous and one deferred. If deferred
 one is provided, bpf_link_free() will schedule dealloc_deferred()
 callback to happen after RCU GP.

 BPF is using two flavors of RCU: "classic" non-sleepable one and RCU
 tasks trace one. The latter is used when sleepable BPF programs are
 used. bpf_link_free() accommodates that by checking underlying BPF
 program's sleepable flag, and goes either through normal RCU GP only for
 non-sleepable, or through RCU tasks trace GP *and* then normal RCU GP
 (taking into account rcu_trace_implies_rcu_gp() optimization), if BPF
 program is sleepable.

 We use this for multi-kprobe and multi-uprobe links, which dereference
 link during program run. We also preventively switch raw_tp link to use
 deferred dealloc callback, as upcoming changes in bpf-next tree expose
 raw_tp link data (specifically, cookie value) to BPF program at runtime
 as well.

 The Linux kernel CVE team has assigned CVE-2024-35860 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.18 with commit 0dcac272540613d41c05e89679e4ddb978b612f1 and fixed in 6.6.26 with commit 876941f533e7b47fc69977fc4551c02f2d18af97
 	Issue introduced in 5.18 with commit 0dcac272540613d41c05e89679e4ddb978b612f1 and fixed in 6.8.5 with commit 5d8d447777564b35f67000e7838e7ccb64d525c8
 	Issue introduced in 5.18 with commit 0dcac272540613d41c05e89679e4ddb978b612f1 and fixed in 6.9 with commit 1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35860
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	include/linux/bpf.h
 	kernel/bpf/syscall.c
 	kernel/trace/bpf_trace.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/876941f533e7b47fc69977fc4551c02f2d18af97
 	https://git.kernel.org/stable/c/5d8d447777564b35f67000e7838e7ccb64d525c8
 	https://git.kernel.org/stable/c/1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35860: bpf: support deferring bpf_link dealloc to after RCU grace period

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf: support deferring bpf_link dealloc to after RCU grace period

	BPF link for some program types is passed as a "context" which can be
	used by those BPF programs to look up additional information. E.g., for
	multi-kprobes and multi-uprobes, link is used to fetch BPF cookie values.

	Because of this runtime dependency, when bpf_link refcnt drops to zero
	there could still be active BPF programs running accessing link data.

	This patch adds generic support to defer bpf_link dealloc callback to
	after RCU GP, if requested. This is done by exposing two different
	deallocation callbacks, one synchronous and one deferred. If deferred
	one is provided, bpf_link_free() will schedule dealloc_deferred()
	callback to happen after RCU GP.

	BPF is using two flavors of RCU: "classic" non-sleepable one and RCU
	tasks trace one. The latter is used when sleepable BPF programs are
	used. bpf_link_free() accommodates that by checking underlying BPF
	program's sleepable flag, and goes either through normal RCU GP only for
	non-sleepable, or through RCU tasks trace GP and then normal RCU GP
	(taking into account rcu_trace_implies_rcu_gp() optimization), if BPF
	program is sleepable.

	We use this for multi-kprobe and multi-uprobe links, which dereference
	link during program run. We also preventively switch raw_tp link to use
	deferred dealloc callback, as upcoming changes in bpf-next tree expose
	raw_tp link data (specifically, cookie value) to BPF program at runtime
	as well.

	The Linux kernel CVE team has assigned CVE-2024-35860 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.18 with commit 0dcac272540613d41c05e89679e4ddb978b612f1 and fixed in 6.6.26 with commit 876941f533e7b47fc69977fc4551c02f2d18af97
	Issue introduced in 5.18 with commit 0dcac272540613d41c05e89679e4ddb978b612f1 and fixed in 6.8.5 with commit 5d8d447777564b35f67000e7838e7ccb64d525c8
	Issue introduced in 5.18 with commit 0dcac272540613d41c05e89679e4ddb978b612f1 and fixed in 6.9 with commit 1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35860
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	include/linux/bpf.h
	kernel/bpf/syscall.c
	kernel/trace/bpf_trace.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/876941f533e7b47fc69977fc4551c02f2d18af97
	https://git.kernel.org/stable/c/5d8d447777564b35f67000e7838e7ccb64d525c8
	https://git.kernel.org/stable/c/1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce