In the Linux kernel, the following vulnerability has been resolved: bpf:
support deferring bpf_link dealloc to after RCU grace period BPF link for
some program types is passed as a “context” which can be used by those BPF
programs to look up additional information. E.g., for multi-kprobes and
multi-uprobes, link is used to fetch BPF cookie values. Because of this
runtime dependency, when bpf_link refcnt drops to zero there could still be
active BPF programs running accessing link data. This patch adds generic
support to defer bpf_link dealloc callback to after RCU GP, if requested.
This is done by exposing two different deallocation callbacks, one
synchronous and one deferred. If deferred one is provided, bpf_link_free()
will schedule dealloc_deferred() callback to happen after RCU GP. BPF is
using two flavors of RCU: “classic” non-sleepable one and RCU tasks trace
one. The latter is used when sleepable BPF programs are used.
bpf_link_free() accommodates that by checking underlying BPF program’s
sleepable flag, and goes either through normal RCU GP only for
non-sleepable, or through RCU tasks trace GP and then normal RCU GP
(taking into account rcu_trace_implies_rcu_gp() optimization), if BPF
program is sleepable. We use this for multi-kprobe and multi-uprobe links,
which dereference link during program run. We also preventively switch
raw_tp link to use deferred dealloc callback, as upcoming changes in
bpf-next tree expose raw_tp link data (specifically, cookie value) to BPF
program at runtime as well.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 24.04 | noarch | linux | < 6.8.0-38.38 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-aws | < 6.8.0-1011.12 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-azure | < 6.8.0-1010.10 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure-6.5 | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-gcp | < 6.8.0-1010.11 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-gcp-6.5 | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-gke | < 6.8.0-1006.9 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-ibm | < 6.8.0-1008.8 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-intel | < 6.8.0-1007.14 | UNKNOWN |
git.kernel.org/linus/1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce (6.9-rc3)
git.kernel.org/stable/c/1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce
git.kernel.org/stable/c/5d8d447777564b35f67000e7838e7ccb64d525c8
git.kernel.org/stable/c/876941f533e7b47fc69977fc4551c02f2d18af97
launchpad.net/bugs/cve/CVE-2024-35860
nvd.nist.gov/vuln/detail/CVE-2024-35860
security-tracker.debian.org/tracker/CVE-2024-35860
ubuntu.com/security/notices/USN-6893-1
ubuntu.com/security/notices/USN-6893-2
ubuntu.com/security/notices/USN-6893-3
ubuntu.com/security/notices/USN-6918-1
www.cve.org/CVERecord?id=CVE-2024-35860