cve/published/2024/CVE-2024-58060.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-58060: bpf: Reject struct_ops registration that uses module ptr and the module btf_id is missing

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf: Reject struct_ops registration that uses module ptr and the module btf_id is missing

 There is a UAF report in the bpf_struct_ops when CONFIG_MODULES=n.
 In particular, the report is on tcp_congestion_ops that has
 a "struct module *owner" member.

 For struct_ops that has a "struct module *owner" member,
 it can be extended either by the regular kernel module or
 by the bpf_struct_ops. bpf_try_module_get() will be used
 to do the refcounting and different refcount is done
 based on the owner pointer. When CONFIG_MODULES=n,
 the btf_id of the "struct module" is missing:

 WARN: resolve_btfids: unresolved symbol module

 Thus, the bpf_try_module_get() cannot do the correct refcounting.

 Not all subsystem's struct_ops requires the "struct module *owner" member.
 e.g. the recent sched_ext_ops.

 This patch is to disable bpf_struct_ops registration if
 the struct_ops has the "struct module *" member and the
 "struct module" btf_id is missing. The btf_type_is_fwd() helper
 is moved to the btf.h header file for this test.

 This has happened since the beginning of bpf_struct_ops which has gone
 through many changes. The Fixes tag is set to a recent commit that this
 patch can apply cleanly. Considering CONFIG_MODULES=n is not
 common and the age of the issue, targeting for bpf-next also.

 The Linux kernel CVE team has assigned CVE-2024-58060 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.9 with commit 1611603537a4b88cec7993f32b70c03113801a46 and fixed in 6.12.13 with commit b777b14c2a4a4e2322daf8e8ffd42d2b88831b17
 	Issue introduced in 6.9 with commit 1611603537a4b88cec7993f32b70c03113801a46 and fixed in 6.13.2 with commit 2324fb4e92092837ee278fdd8d60c48ee1a619ce
 	Issue introduced in 6.9 with commit 1611603537a4b88cec7993f32b70c03113801a46 and fixed in 6.14 with commit 96ea081ed52bf077cad6d00153b6fba68e510767

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-58060
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	include/linux/btf.h
 	kernel/bpf/bpf_struct_ops.c
 	kernel/bpf/btf.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b777b14c2a4a4e2322daf8e8ffd42d2b88831b17
 	https://git.kernel.org/stable/c/2324fb4e92092837ee278fdd8d60c48ee1a619ce
 	https://git.kernel.org/stable/c/96ea081ed52bf077cad6d00153b6fba68e510767
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-58060: bpf: Reject struct_ops registration that uses module ptr and the module btf_id is missing

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf: Reject struct_ops registration that uses module ptr and the module btf_id is missing

	There is a UAF report in the bpf_struct_ops when CONFIG_MODULES=n.
	In particular, the report is on tcp_congestion_ops that has
	a "struct module *owner" member.

	For struct_ops that has a "struct module *owner" member,
	it can be extended either by the regular kernel module or
	by the bpf_struct_ops. bpf_try_module_get() will be used
	to do the refcounting and different refcount is done
	based on the owner pointer. When CONFIG_MODULES=n,
	the btf_id of the "struct module" is missing:

	WARN: resolve_btfids: unresolved symbol module

	Thus, the bpf_try_module_get() cannot do the correct refcounting.

	Not all subsystem's struct_ops requires the "struct module *owner" member.
	e.g. the recent sched_ext_ops.

	This patch is to disable bpf_struct_ops registration if
	the struct_ops has the "struct module *" member and the
	"struct module" btf_id is missing. The btf_type_is_fwd() helper
	is moved to the btf.h header file for this test.

	This has happened since the beginning of bpf_struct_ops which has gone
	through many changes. The Fixes tag is set to a recent commit that this
	patch can apply cleanly. Considering CONFIG_MODULES=n is not
	common and the age of the issue, targeting for bpf-next also.

	The Linux kernel CVE team has assigned CVE-2024-58060 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.9 with commit 1611603537a4b88cec7993f32b70c03113801a46 and fixed in 6.12.13 with commit b777b14c2a4a4e2322daf8e8ffd42d2b88831b17
	Issue introduced in 6.9 with commit 1611603537a4b88cec7993f32b70c03113801a46 and fixed in 6.13.2 with commit 2324fb4e92092837ee278fdd8d60c48ee1a619ce
	Issue introduced in 6.9 with commit 1611603537a4b88cec7993f32b70c03113801a46 and fixed in 6.14 with commit 96ea081ed52bf077cad6d00153b6fba68e510767

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-58060
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	include/linux/btf.h
	kernel/bpf/bpf_struct_ops.c
	kernel/bpf/btf.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b777b14c2a4a4e2322daf8e8ffd42d2b88831b17
	https://git.kernel.org/stable/c/2324fb4e92092837ee278fdd8d60c48ee1a619ce
	https://git.kernel.org/stable/c/96ea081ed52bf077cad6d00153b6fba68e510767