lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025030608-CVE-2024-58060-e849@gregkh> Date: Thu, 6 Mar 2025 16:54:13 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-58060: bpf: Reject struct_ops registration that uses module ptr and the module btf_id is missing Description =========== In the Linux kernel, the following vulnerability has been resolved: bpf: Reject struct_ops registration that uses module ptr and the module btf_id is missing There is a UAF report in the bpf_struct_ops when CONFIG_MODULES=n. In particular, the report is on tcp_congestion_ops that has a "struct module *owner" member. For struct_ops that has a "struct module *owner" member, it can be extended either by the regular kernel module or by the bpf_struct_ops. bpf_try_module_get() will be used to do the refcounting and different refcount is done based on the owner pointer. When CONFIG_MODULES=n, the btf_id of the "struct module" is missing: WARN: resolve_btfids: unresolved symbol module Thus, the bpf_try_module_get() cannot do the correct refcounting. Not all subsystem's struct_ops requires the "struct module *owner" member. e.g. the recent sched_ext_ops. This patch is to disable bpf_struct_ops registration if the struct_ops has the "struct module *" member and the "struct module" btf_id is missing. The btf_type_is_fwd() helper is moved to the btf.h header file for this test. This has happened since the beginning of bpf_struct_ops which has gone through many changes. The Fixes tag is set to a recent commit that this patch can apply cleanly. Considering CONFIG_MODULES=n is not common and the age of the issue, targeting for bpf-next also. The Linux kernel CVE team has assigned CVE-2024-58060 to this issue. Affected and fixed versions =========================== Issue introduced in 6.9 with commit 1611603537a4b88cec7993f32b70c03113801a46 and fixed in 6.12.13 with commit b777b14c2a4a4e2322daf8e8ffd42d2b88831b17 Issue introduced in 6.9 with commit 1611603537a4b88cec7993f32b70c03113801a46 and fixed in 6.13.2 with commit 2324fb4e92092837ee278fdd8d60c48ee1a619ce Issue introduced in 6.9 with commit 1611603537a4b88cec7993f32b70c03113801a46 and fixed in 6.14-rc1 with commit 96ea081ed52bf077cad6d00153b6fba68e510767 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-58060 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: include/linux/btf.h kernel/bpf/bpf_struct_ops.c kernel/bpf/btf.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/b777b14c2a4a4e2322daf8e8ffd42d2b88831b17 https://git.kernel.org/stable/c/2324fb4e92092837ee278fdd8d60c48ee1a619ce https://git.kernel.org/stable/c/96ea081ed52bf077cad6d00153b6fba68e510767
Powered by blists - more mailing lists