CVE-2024-35895

bpf, sockmap: Prevent lock inversion deadlock in map delete elem

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

bpf, sockmap: Prevent lock inversion deadlock in map delete elem

syzkaller started using corpuses where a BPF tracing program deletes
elements from a sockmap/sockhash map. Because BPF tracing programs can be
invoked from any interrupt context, locks taken during a map_delete_elem
operation must be hardirq-safe. Otherwise a deadlock due to lock inversion
is possible, as reported by lockdep:

CPU0 CPU1
---- ----
lock(&htab->buckets[i].lock);
local_irq_disable();
lock(&host->lock);
lock(&htab->buckets[i].lock);
<Interrupt>
lock(&host->lock);

Locks in sockmap are hardirq-unsafe by design. We expects elements to be
deleted from sockmap/sockhash only in task (normal) context with interrupts
enabled, or in softirq context.

Detect when map_delete_elem operation is invoked from a context which is
_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an
error.

Note that map updates are not affected by this issue. BPF verifier does not
allow updating sockmap/sockhash from a BPF tracing program today.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf, sockmap: Evitar el punto muerto de inversión de bloqueo en la eliminación del mapa elem syzkaller comenzó a usar corpus donde un programa de seguimiento BPF elimina elementos de un mapa sockmap/sockhash. Debido a que los programas de seguimiento BPF se pueden invocar desde cualquier contexto de interrupción, los bloqueos realizados durante una operación map_delete_elem deben ser seguros. De lo contrario, es posible que se produzca un punto muerto debido a la inversión del bloqueo, como lo informa lockdep: CPU0 CPU1 ---- ---- lock(&htab->buckets[i].lock); local_irq_disable(); bloquear(&host->bloquear); lock(&htab->cubos[i].lock); bloqueo(&host->bloqueo); Los bloqueos en sockmap son difíciles de inseguro por diseño. Esperamos que los elementos se eliminen de sockmap/sockhash solo en el contexto de la tarea (normal) con las interrupciones habilitadas o en el contexto de softirq. Detecta cuándo se invoca la operación map_delete_elem desde un contexto que _no_ es hardirq-inseguro, es decir, las interrupciones están deshabilitadas y sale con un error. Tenga en cuenta que las actualizaciones de mapas no se ven afectadas por este problema. El verificador de BPF no permite actualizar sockmap/sockhash desde un programa de seguimiento de BPF en la actualidad.

*Credits: N/A

CVSS Scores

Red Hatv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-17 CVE Reserved
2024-05-19 CVE Published
2024-05-20 EPSS Updated
2024-08-29 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (12)

URL	Tag	Source
https://git.kernel.org/stable/c/604326b41a6fb9b4a78b6179335decee0365cd8c	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058	2024-04-13
https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75	2024-04-13
https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec	2024-04-10
https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5	2024-04-10
https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86	2024-04-10
https://git.kernel.org/stable/c/913c30f827e17d8cda1da6eeb990f350d36cb69b	2024-08-29
https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd	2024-04-10
https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48	2024-04-02

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-35895	2024-09-24
https://bugzilla.redhat.com/show_bug.cgi?id=2281677	2024-09-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 5.4.274 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 5.4.274"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 5.10.215 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 5.10.215"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 5.15.154 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 5.15.154"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 6.1.85 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 6.1.85"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 6.6.26 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 6.6.26"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 6.6.48 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 6.6.48"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 6.8.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 6.8.5"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 6.9"		en		Affected