cve/published/2024/CVE-2024-56786.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56786: bpf: put bpf_link's program when link is safe to be deallocated

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf: put bpf_link's program when link is safe to be deallocated

 In general, BPF link's underlying BPF program should be considered to be
 reachable through attach hook -> link -> prog chain, and, pessimistically,
 we have to assume that as long as link's memory is not safe to free,
 attach hook's code might hold a pointer to BPF program and use it.

 As such, it's not (generally) correct to put link's program early before
 waiting for RCU GPs to go through. More eager bpf_prog_put() that we
 currently do is mostly correct due to BPF program's release code doing
 similar RCU GP waiting, but as will be shown in the following patches,
 BPF program can be non-sleepable (and, thus, reliant on only "classic"
 RCU GP), while BPF link's attach hook can have sleepable semantics and
 needs to be protected by RCU Tasks Trace, and for such cases BPF link
 has to go through RCU Tasks Trace + "classic" RCU GPs before being
 deallocated. And so, if we put BPF program early, we might free BPF
 program before we free BPF link, leading to use-after-free situation.

 So, this patch defers bpf_prog_put() until we are ready to perform
 bpf_link's deallocation. At worst, this delays BPF program freeing by
 one extra RCU GP, but that seems completely acceptable. Alternatively,
 we'd need more elaborate ways to determine BPF hook, BPF link, and BPF
 program lifetimes, and how they relate to each other, which seems like
 an unnecessary complication.

 Note, for most BPF links we still will perform eager bpf_prog_put() and
 link dealloc, so for those BPF links there are no observable changes
 whatsoever. Only BPF links that use deferred dealloc might notice
 slightly delayed freeing of BPF programs.

 Also, to reduce code and logic duplication, extract program put + link
 dealloc logic into bpf_link_dealloc() helper.

 The Linux kernel CVE team has assigned CVE-2024-56786 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.6.66 with commit 5fe23c57abadfd46a7a66e81f3536e4757252a0b
 	Fixed in 6.12.5 with commit 2fcb921c2799c49ac5e365cf4110f94a64ae4885
 	Fixed in 6.13 with commit f44ec8733a8469143fde1984b5e6931b2e2f6f3f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56786
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/bpf/syscall.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5fe23c57abadfd46a7a66e81f3536e4757252a0b
 	https://git.kernel.org/stable/c/2fcb921c2799c49ac5e365cf4110f94a64ae4885
 	https://git.kernel.org/stable/c/f44ec8733a8469143fde1984b5e6931b2e2f6f3f
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56786: bpf: put bpf_link's program when link is safe to be deallocated

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf: put bpf_link's program when link is safe to be deallocated

	In general, BPF link's underlying BPF program should be considered to be
	reachable through attach hook -> link -> prog chain, and, pessimistically,
	we have to assume that as long as link's memory is not safe to free,
	attach hook's code might hold a pointer to BPF program and use it.

	As such, it's not (generally) correct to put link's program early before
	waiting for RCU GPs to go through. More eager bpf_prog_put() that we
	currently do is mostly correct due to BPF program's release code doing
	similar RCU GP waiting, but as will be shown in the following patches,
	BPF program can be non-sleepable (and, thus, reliant on only "classic"
	RCU GP), while BPF link's attach hook can have sleepable semantics and
	needs to be protected by RCU Tasks Trace, and for such cases BPF link
	has to go through RCU Tasks Trace + "classic" RCU GPs before being
	deallocated. And so, if we put BPF program early, we might free BPF
	program before we free BPF link, leading to use-after-free situation.

	So, this patch defers bpf_prog_put() until we are ready to perform
	bpf_link's deallocation. At worst, this delays BPF program freeing by
	one extra RCU GP, but that seems completely acceptable. Alternatively,
	we'd need more elaborate ways to determine BPF hook, BPF link, and BPF
	program lifetimes, and how they relate to each other, which seems like
	an unnecessary complication.

	Note, for most BPF links we still will perform eager bpf_prog_put() and
	link dealloc, so for those BPF links there are no observable changes
	whatsoever. Only BPF links that use deferred dealloc might notice
	slightly delayed freeing of BPF programs.

	Also, to reduce code and logic duplication, extract program put + link
	dealloc logic into bpf_link_dealloc() helper.

	The Linux kernel CVE team has assigned CVE-2024-56786 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.6.66 with commit 5fe23c57abadfd46a7a66e81f3536e4757252a0b
	Fixed in 6.12.5 with commit 2fcb921c2799c49ac5e365cf4110f94a64ae4885
	Fixed in 6.13 with commit f44ec8733a8469143fde1984b5e6931b2e2f6f3f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56786
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/bpf/syscall.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5fe23c57abadfd46a7a66e81f3536e4757252a0b
	https://git.kernel.org/stable/c/2fcb921c2799c49ac5e365cf4110f94a64ae4885
	https://git.kernel.org/stable/c/f44ec8733a8469143fde1984b5e6931b2e2f6f3f