| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024051950-CVE-2024-35895-cb33@gregkh>
Date: Sun, 19 May 2024 10:35:09 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-35895: bpf, sockmap: Prevent lock inversion deadlock in map delete elem
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Prevent lock inversion deadlock in map delete elem
syzkaller started using corpuses where a BPF tracing program deletes
elements from a sockmap/sockhash map. Because BPF tracing programs can be
invoked from any interrupt context, locks taken during a map_delete_elem
operation must be hardirq-safe. Otherwise a deadlock due to lock inversion
is possible, as reported by lockdep:
CPU0 CPU1
---- ----
lock(&htab->buckets[i].lock);
local_irq_disable();
lock(&host->lock);
lock(&htab->buckets[i].lock);
<Interrupt>
lock(&host->lock);
Locks in sockmap are hardirq-unsafe by design. We expects elements to be
deleted from sockmap/sockhash only in task (normal) context with interrupts
enabled, or in softirq context.
Detect when map_delete_elem operation is invoked from a context which is
_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an
error.
Note that map updates are not affected by this issue. BPF verifier does not
allow updating sockmap/sockhash from a BPF tracing program today.
The Linux kernel CVE team has assigned CVE-2024-35895 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.20 with commit 604326b41a6f and fixed in 5.4.274 with commit f7990498b05a
Issue introduced in 4.20 with commit 604326b41a6f and fixed in 5.10.215 with commit dd54b48db0c8
Issue introduced in 4.20 with commit 604326b41a6f and fixed in 5.15.154 with commit d1e73fb19a4c
Issue introduced in 4.20 with commit 604326b41a6f and fixed in 6.1.85 with commit a44770fed865
Issue introduced in 4.20 with commit 604326b41a6f and fixed in 6.6.26 with commit 668b3074aa14
Issue introduced in 4.20 with commit 604326b41a6f and fixed in 6.8.5 with commit 6af057ccdd8e
Issue introduced in 4.20 with commit 604326b41a6f and fixed in 6.9 with commit ff9105993240
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-35895
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/core/sock_map.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058
https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75
https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec
https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5
https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86
https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd
https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48
Powered by blists - more mailing lists