In the Linux kernel, the following vulnerability has been resolved: bpf:
Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel The
following race is possible between bpf_timer_cancel_and_free and
bpf_timer_cancel. It will lead a UAF on the timer->timer.
bpf_timer_cancel(); spin_lock(); t = timer->time; spin_unlock();
bpf_timer_cancel_and_free(); spin_lock(); t = timer->timer; timer->timer =
NULL; spin_unlock(); hrtimer_cancel(&t->timer); kfree(t); /* UAF on t */
hrtimer_cancel(&t->timer); In bpf_timer_cancel_and_free, this patch frees
the timer->timer after a rcu grace period. This requires a rcu_head
addition to the “struct bpf_hrtimer”. Another kfree(t) happens in
bpf_timer_init, this does not need a kfree_rcu because it is still under
the spin_lock and timer->timer has not been visible by others yet. In
bpf_timer_cancel, rcu_read_lock() is added because this helper can be used
in a non rcu critical section context (e.g. from a sleepable bpf prog).
Other timer->timer usages in helpers.c have been audited,
bpf_timer_cancel() is the only place where timer->timer is used outside of
the spin_lock. Another solution considered is to mark a t->flag in
bpf_timer_cancel and clear it after hrtimer_cancel() is done. In
bpf_timer_cancel_and_free, it busy waits for the flag to be cleared before
kfree(t). This patch goes with a straight forward solution and frees
timer->timer after a rcu grace period.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 22.04 | noarch | linux | < 5.15.0-112.122 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1063.69 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < 5.15.0-1063.69~20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < 5.15.0-1066.75 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure-5.15 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure-6.5 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure-fde | < 5.15.0-1067.76.1 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure-fde-5.15 | < 5.15.0-1065.74~20.04.1.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-gcp | < 5.15.0-1062.70 | UNKNOWN |
git.kernel.org/linus/0281b919e175bb9c3128bd3872ac2903e9436e3f (6.8-rc6)
git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f
git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c
git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33
git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6
git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5
launchpad.net/bugs/cve/CVE-2024-26737
nvd.nist.gov/vuln/detail/CVE-2024-26737
security-tracker.debian.org/tracker/CVE-2024-26737
ubuntu.com/security/notices/USN-6820-1
ubuntu.com/security/notices/USN-6820-2
ubuntu.com/security/notices/USN-6821-1
ubuntu.com/security/notices/USN-6821-2
ubuntu.com/security/notices/USN-6821-3
ubuntu.com/security/notices/USN-6821-4
ubuntu.com/security/notices/USN-6828-1
ubuntu.com/security/notices/USN-6871-1
ubuntu.com/security/notices/USN-6892-1
ubuntu.com/security/notices/USN-6919-1
www.cve.org/CVERecord?id=CVE-2024-26737