cve/published/2024/CVE-2024-41045.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-41045: bpf: Defer work in bpf_timer_cancel_and_free

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf: Defer work in bpf_timer_cancel_and_free

 Currently, the same case as previous patch (two timer callbacks trying
 to cancel each other) can be invoked through bpf_map_update_elem as
 well, or more precisely, freeing map elements containing timers. Since
 this relies on hrtimer_cancel as well, it is prone to the same deadlock
 situation as the previous patch.

 It would be sufficient to use hrtimer_try_to_cancel to fix this problem,
 as the timer cannot be enqueued after async_cancel_and_free. Once
 async_cancel_and_free has been done, the timer must be reinitialized
 before it can be armed again. The callback running in parallel trying to
 arm the timer will fail, and freeing bpf_hrtimer without waiting is
 sufficient (given kfree_rcu), and bpf_timer_cb will return
 HRTIMER_NORESTART, preventing the timer from being rearmed again.

 However, there exists a UAF scenario where the callback arms the timer
 before entering this function, such that if cancellation fails (due to
 timer callback invoking this routine, or the target timer callback
 running concurrently). In such a case, if the timer expiration is
 significantly far in the future, the RCU grace period expiration
 happening before it will free the bpf_hrtimer state and along with it
 the struct hrtimer, that is enqueued.

 Hence, it is clear cancellation needs to occur after
 async_cancel_and_free, and yet it cannot be done inline due to deadlock
 issues. We thus modify bpf_timer_cancel_and_free to defer work to the
 global workqueue, adding a work_struct alongside rcu_head (both used at
 _different_ points of time, so can share space).

 Update existing code comments to reflect the new state of affairs.

 The Linux kernel CVE team has assigned CVE-2024-41045 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15 with commit b00628b1c7d595ae5b544e059c27b1f5828314b4 and fixed in 6.9.10 with commit 7aa5a19279c3639ae8b758b63f05d0c616a39fa1
 	Issue introduced in 5.15 with commit b00628b1c7d595ae5b544e059c27b1f5828314b4 and fixed in 6.10 with commit a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-41045
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/bpf/helpers.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7aa5a19279c3639ae8b758b63f05d0c616a39fa1
 	https://git.kernel.org/stable/c/a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-41045: bpf: Defer work in bpf_timer_cancel_and_free

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf: Defer work in bpf_timer_cancel_and_free

	Currently, the same case as previous patch (two timer callbacks trying
	to cancel each other) can be invoked through bpf_map_update_elem as
	well, or more precisely, freeing map elements containing timers. Since
	this relies on hrtimer_cancel as well, it is prone to the same deadlock
	situation as the previous patch.

	It would be sufficient to use hrtimer_try_to_cancel to fix this problem,
	as the timer cannot be enqueued after async_cancel_and_free. Once
	async_cancel_and_free has been done, the timer must be reinitialized
	before it can be armed again. The callback running in parallel trying to
	arm the timer will fail, and freeing bpf_hrtimer without waiting is
	sufficient (given kfree_rcu), and bpf_timer_cb will return
	HRTIMER_NORESTART, preventing the timer from being rearmed again.

	However, there exists a UAF scenario where the callback arms the timer
	before entering this function, such that if cancellation fails (due to
	timer callback invoking this routine, or the target timer callback
	running concurrently). In such a case, if the timer expiration is
	significantly far in the future, the RCU grace period expiration
	happening before it will free the bpf_hrtimer state and along with it
	the struct hrtimer, that is enqueued.

	Hence, it is clear cancellation needs to occur after
	async_cancel_and_free, and yet it cannot be done inline due to deadlock
	issues. We thus modify bpf_timer_cancel_and_free to defer work to the
	global workqueue, adding a work_struct alongside rcu_head (both used at
	_different_ points of time, so can share space).

	Update existing code comments to reflect the new state of affairs.

	The Linux kernel CVE team has assigned CVE-2024-41045 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15 with commit b00628b1c7d595ae5b544e059c27b1f5828314b4 and fixed in 6.9.10 with commit 7aa5a19279c3639ae8b758b63f05d0c616a39fa1
	Issue introduced in 5.15 with commit b00628b1c7d595ae5b544e059c27b1f5828314b4 and fixed in 6.10 with commit a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-41045
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/bpf/helpers.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7aa5a19279c3639ae8b758b63f05d0c616a39fa1
	https://git.kernel.org/stable/c/a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69