{ "threat_severity" : "Low", "public_date" : "2024-12-27T00:00:00Z", "bugzilla" : { "description" : "kernel: bpf: Call free_htab_elem() after htab_unlock_bucket()", "id" : "2334494", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2334494" }, "cvss3" : { "cvss3_base_score" : "4.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-457", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbpf: Call free_htab_elem() after htab_unlock_bucket()\nFor htab of maps, when the map is removed from the htab, it may hold the\nlast reference of the map. bpf_map_fd_put_ptr() will invoke\nbpf_map_free_id() to free the id of the removed map element. However,\nbpf_map_fd_put_ptr() is invoked while holding a bucket lock\n(raw_spin_lock_t), and bpf_map_free_id() attempts to acquire map_idr_lock\n(spinlock_t), triggering the following lockdep warning:\n=============================\n[ BUG: Invalid wait context ]\n6.11.0-rc4+ #49 Not tainted\n-----------------------------\ntest_maps/4881 is trying to lock:\nffffffff84884578 (map_idr_lock){+...}-{3:3}, at: bpf_map_free_id.part.0+0x21/0x70\nother info that might help us debug this:\ncontext-{5:5}\n2 locks held by test_maps/4881:\n#0: ffffffff846caf60 (rcu_read_lock){....}-{1:3}, at: bpf_fd_htab_map_update_elem+0xf9/0x270\n#1: ffff888149ced148 (&htab->lockdep_key#2){....}-{2:2}, at: htab_map_update_elem+0x178/0xa80\nstack backtrace:\nCPU: 0 UID: 0 PID: 4881 Comm: test_maps Not tainted 6.11.0-rc4+ #49\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), ...\nCall Trace:\n\ndump_stack_lvl+0x6e/0xb0\ndump_stack+0x10/0x20\n__lock_acquire+0x73e/0x36c0\nlock_acquire+0x182/0x450\n_raw_spin_lock_irqsave+0x43/0x70\nbpf_map_free_id.part.0+0x21/0x70\nbpf_map_put+0xcf/0x110\nbpf_map_fd_put_ptr+0x9a/0xb0\nfree_htab_elem+0x69/0xe0\nhtab_map_update_elem+0x50f/0xa80\nbpf_fd_htab_map_update_elem+0x131/0x270\nhtab_map_update_elem+0x50f/0xa80\nbpf_fd_htab_map_update_elem+0x131/0x270\nbpf_map_update_value+0x266/0x380\n__sys_bpf+0x21bb/0x36b0\n__x64_sys_bpf+0x45/0x60\nx64_sys_call+0x1b2a/0x20d0\ndo_syscall_64+0x5d/0x100\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nOne way to fix the lockdep warning is using raw_spinlock_t for\nmap_idr_lock as well. However, bpf_map_alloc_id() invokes\nidr_alloc_cyclic() after acquiring map_idr_lock, it will trigger a\nsimilar lockdep warning because the slab's lock (s->cpu_slab->lock) is\nstill a spinlock.\nInstead of changing map_idr_lock's type, fix the issue by invoking\nhtab_put_fd_value() after htab_unlock_bucket(). However, only deferring\nthe invocation of htab_put_fd_value() is not enough, because the old map\npointers in htab of maps can not be saved during batched deletion.\nTherefore, also defer the invocation of free_htab_elem(), so these\nto-be-freed elements could be linked together similar to lru map.\nThere are four callers for ->map_fd_put_ptr:\n(1) alloc_htab_elem() (through htab_put_fd_value())\nIt invokes ->map_fd_put_ptr() under a raw_spinlock_t. The invocation of\nhtab_put_fd_value() can not simply move after htab_unlock_bucket(),\nbecause the old element has already been stashed in htab->extra_elems.\nIt may be reused immediately after htab_unlock_bucket() and the\ninvocation of htab_put_fd_value() after htab_unlock_bucket() may release\nthe newly-added element incorrectly. Therefore, saving the map pointer\nof the old element for htab of maps before unlocking the bucket and\nreleasing the map_ptr after unlock. Beside the map pointer in the old\nelement, should do the same thing for the special fields in the old\nelement as well.\n(2) free_htab_elem() (through htab_put_fd_value())\nIts caller includes __htab_map_lookup_and_delete_elem(),\nhtab_map_delete_elem() and __htab_map_lookup_and_delete_batch().\nFor htab_map_delete_elem(), simply invoke free_htab_elem() after\nhtab_unlock_bucket(). For __htab_map_lookup_and_delete_batch(), just\nlike lru map, linking the to-be-freed element into node_to_free list\nand invoking free_htab_elem() for these element after unlock. It is safe\nto reuse batch_flink as the link for node_to_free, because these\nelements have been removed from the hash llist.\nBecause htab of maps doesn't support lookup_and_delete operation,\n__htab_map_lookup_and_delete_elem() doesn't have the problem, so kept\nit as\n---truncated---" ], "statement" : "The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space.\nFor the Red Hat Enterprise Linux 9 to confirm the current state, inspect the sysctl with the command:\ncat /proc/sys/kernel/unprivileged_bpf_disabled\nThe setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-56592\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-56592\nhttps://lore.kernel.org/linux-cve-announce/2024122700-CVE-2024-56592-d4b2@gregkh/T" ], "name" : "CVE-2024-56592", "csaw" : false }