cve/published/2024/CVE-2024-40909.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-40909: bpf: Fix a potential use-after-free in bpf_link_free()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf: Fix a potential use-after-free in bpf_link_free()

 After commit 1a80dbcb2dba, bpf_link can be freed by
 link->ops->dealloc_deferred, but the code still tests and uses
 link->ops->dealloc afterward, which leads to a use-after-free as
 reported by syzbot. Actually, one of them should be sufficient, so
 just call one of them instead of both. Also add a WARN_ON() in case
 of any problematic implementation.

 The Linux kernel CVE team has assigned CVE-2024-40909 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.6.26 with commit 876941f533e7b47fc69977fc4551c02f2d18af97 and fixed in 6.6.35 with commit 91cff53136daeff50816b0baeafd38a6976f6209
 	Issue introduced in 6.9 with commit 1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce and fixed in 6.9.6 with commit fa97b8fed9896f1e89cb657513e483a152d4c382
 	Issue introduced in 6.9 with commit 1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce and fixed in 6.10 with commit 2884dc7d08d98a89d8d65121524bb7533183a63a
 	Issue introduced in 6.8.5 with commit 5d8d447777564b35f67000e7838e7ccb64d525c8

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-40909
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/bpf/syscall.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/91cff53136daeff50816b0baeafd38a6976f6209
 	https://git.kernel.org/stable/c/fa97b8fed9896f1e89cb657513e483a152d4c382
 	https://git.kernel.org/stable/c/2884dc7d08d98a89d8d65121524bb7533183a63a
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-40909: bpf: Fix a potential use-after-free in bpf_link_free()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf: Fix a potential use-after-free in bpf_link_free()

	After commit 1a80dbcb2dba, bpf_link can be freed by
	link->ops->dealloc_deferred, but the code still tests and uses
	link->ops->dealloc afterward, which leads to a use-after-free as
	reported by syzbot. Actually, one of them should be sufficient, so
	just call one of them instead of both. Also add a WARN_ON() in case
	of any problematic implementation.

	The Linux kernel CVE team has assigned CVE-2024-40909 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.6.26 with commit 876941f533e7b47fc69977fc4551c02f2d18af97 and fixed in 6.6.35 with commit 91cff53136daeff50816b0baeafd38a6976f6209
	Issue introduced in 6.9 with commit 1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce and fixed in 6.9.6 with commit fa97b8fed9896f1e89cb657513e483a152d4c382
	Issue introduced in 6.9 with commit 1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce and fixed in 6.10 with commit 2884dc7d08d98a89d8d65121524bb7533183a63a
	Issue introduced in 6.8.5 with commit 5d8d447777564b35f67000e7838e7ccb64d525c8

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-40909
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/bpf/syscall.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/91cff53136daeff50816b0baeafd38a6976f6209
	https://git.kernel.org/stable/c/fa97b8fed9896f1e89cb657513e483a152d4c382
	https://git.kernel.org/stable/c/2884dc7d08d98a89d8d65121524bb7533183a63a