| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-38662: bpf: Allow delete from sockmap/sockhash only if update is allowed |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| bpf: Allow delete from sockmap/sockhash only if update is allowed |
| |
| We have seen an influx of syzkaller reports where a BPF program attached to |
| a tracepoint triggers a locking rule violation by performing a map_delete |
| on a sockmap/sockhash. |
| |
| We don't intend to support this artificial use scenario. Extend the |
| existing verifier allowed-program-type check for updating sockmap/sockhash |
| to also cover deleting from a map. |
| |
| From now on only BPF programs which were previously allowed to update |
| sockmap/sockhash can delete from these map types. |
| |
| The Linux kernel CVE team has assigned CVE-2024-38662 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.10.215 with commit dd54b48db0c822ae7b520bc80751f0a0a173ef75 and fixed in 5.10.219 with commit 29467edc23818dc5a33042ffb4920b49b090e63d |
| Issue introduced in 5.15.154 with commit d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec and fixed in 5.15.161 with commit 11e8ecc5b86037fec43d07b1c162e233e131b1d9 |
| Issue introduced in 6.1.85 with commit a44770fed86515eedb5a7c00b787f847ebb134a5 and fixed in 6.1.93 with commit 6693b172f008846811f48a099f33effc26068e1e |
| Issue introduced in 6.6.26 with commit 668b3074aa14829e2ac2759799537a93b60fef86 and fixed in 6.6.33 with commit 000a65bf1dc04fb2b65e2abf116f0bc0fc2ee7b1 |
| Issue introduced in 6.9 with commit ff91059932401894e6c86341915615c5eb0eca48 and fixed in 6.9.4 with commit b81e1c5a3c70398cf76631ede63a03616ed1ba3c |
| Issue introduced in 6.9 with commit ff91059932401894e6c86341915615c5eb0eca48 and fixed in 6.10 with commit 98e948fb60d41447fd8d2d0c3b8637fc6b6dc26d |
| Issue introduced in 5.4.274 with commit f7990498b05ac41f7d6a190dc0418ef1d21bf058 |
| Issue introduced in 6.8.5 with commit 6af057ccdd8e7619960aca1f0428339f213b31cd |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-38662 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| kernel/bpf/verifier.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/29467edc23818dc5a33042ffb4920b49b090e63d |
| https://git.kernel.org/stable/c/11e8ecc5b86037fec43d07b1c162e233e131b1d9 |
| https://git.kernel.org/stable/c/6693b172f008846811f48a099f33effc26068e1e |
| https://git.kernel.org/stable/c/000a65bf1dc04fb2b65e2abf116f0bc0fc2ee7b1 |
| https://git.kernel.org/stable/c/b81e1c5a3c70398cf76631ede63a03616ed1ba3c |
| https://git.kernel.org/stable/c/98e948fb60d41447fd8d2d0c3b8637fc6b6dc26d |
