cve/published/2024/CVE-2024-35895.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35895: bpf, sockmap: Prevent lock inversion deadlock in map delete elem

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf, sockmap: Prevent lock inversion deadlock in map delete elem

 syzkaller started using corpuses where a BPF tracing program deletes
 elements from a sockmap/sockhash map. Because BPF tracing programs can be
 invoked from any interrupt context, locks taken during a map_delete_elem
 operation must be hardirq-safe. Otherwise a deadlock due to lock inversion
 is possible, as reported by lockdep:

        CPU0                    CPU1
        ----                    ----
   lock(&htab->buckets[i].lock);
                                local_irq_disable();
                                lock(&host->lock);
                                lock(&htab->buckets[i].lock);
   <Interrupt>
     lock(&host->lock);

 Locks in sockmap are hardirq-unsafe by design. We expects elements to be
 deleted from sockmap/sockhash only in task (normal) context with interrupts
 enabled, or in softirq context.

 Detect when map_delete_elem operation is invoked from a context which is
 _not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an
 error.

 Note that map updates are not affected by this issue. BPF verifier does not
 allow updating sockmap/sockhash from a BPF tracing program today.

 The Linux kernel CVE team has assigned CVE-2024-35895 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.4.274 with commit f7990498b05ac41f7d6a190dc0418ef1d21bf058
 	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.10.215 with commit dd54b48db0c822ae7b520bc80751f0a0a173ef75
 	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.15.154 with commit d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec
 	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 6.1.85 with commit a44770fed86515eedb5a7c00b787f847ebb134a5
 	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 6.6.26 with commit 668b3074aa14829e2ac2759799537a93b60fef86
 	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 6.8.5 with commit 6af057ccdd8e7619960aca1f0428339f213b31cd
 	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 6.9 with commit ff91059932401894e6c86341915615c5eb0eca48

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35895
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/core/sock_map.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058
 	https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75
 	https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec
 	https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5
 	https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86
 	https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd
 	https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35895: bpf, sockmap: Prevent lock inversion deadlock in map delete elem

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf, sockmap: Prevent lock inversion deadlock in map delete elem

	syzkaller started using corpuses where a BPF tracing program deletes
	elements from a sockmap/sockhash map. Because BPF tracing programs can be
	invoked from any interrupt context, locks taken during a map_delete_elem
	operation must be hardirq-safe. Otherwise a deadlock due to lock inversion
	is possible, as reported by lockdep:

	CPU0 CPU1
	---- ----
	lock(&htab->buckets[i].lock);
	local_irq_disable();
	lock(&host->lock);
	lock(&htab->buckets[i].lock);
	<Interrupt>
	lock(&host->lock);

	Locks in sockmap are hardirq-unsafe by design. We expects elements to be
	deleted from sockmap/sockhash only in task (normal) context with interrupts
	enabled, or in softirq context.

	Detect when map_delete_elem operation is invoked from a context which is
	_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an
	error.

	Note that map updates are not affected by this issue. BPF verifier does not
	allow updating sockmap/sockhash from a BPF tracing program today.

	The Linux kernel CVE team has assigned CVE-2024-35895 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.4.274 with commit f7990498b05ac41f7d6a190dc0418ef1d21bf058
	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.10.215 with commit dd54b48db0c822ae7b520bc80751f0a0a173ef75
	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 5.15.154 with commit d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec
	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 6.1.85 with commit a44770fed86515eedb5a7c00b787f847ebb134a5
	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 6.6.26 with commit 668b3074aa14829e2ac2759799537a93b60fef86
	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 6.8.5 with commit 6af057ccdd8e7619960aca1f0428339f213b31cd
	Issue introduced in 4.20 with commit 604326b41a6fb9b4a78b6179335decee0365cd8c and fixed in 6.9 with commit ff91059932401894e6c86341915615c5eb0eca48

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35895
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/core/sock_map.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058
	https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75
	https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec
	https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5
	https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86
	https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd
	https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48