We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-56786

bpf: put bpf_link's program when link is safe to be deallocated



Description

In the Linux kernel, the following vulnerability has been resolved: bpf: put bpf_link's program when link is safe to be deallocated In general, BPF link's underlying BPF program should be considered to be reachable through attach hook -> link -> prog chain, and, pessimistically, we have to assume that as long as link's memory is not safe to free, attach hook's code might hold a pointer to BPF program and use it. As such, it's not (generally) correct to put link's program early before waiting for RCU GPs to go through. More eager bpf_prog_put() that we currently do is mostly correct due to BPF program's release code doing similar RCU GP waiting, but as will be shown in the following patches, BPF program can be non-sleepable (and, thus, reliant on only "classic" RCU GP), while BPF link's attach hook can have sleepable semantics and needs to be protected by RCU Tasks Trace, and for such cases BPF link has to go through RCU Tasks Trace + "classic" RCU GPs before being deallocated. And so, if we put BPF program early, we might free BPF program before we free BPF link, leading to use-after-free situation. So, this patch defers bpf_prog_put() until we are ready to perform bpf_link's deallocation. At worst, this delays BPF program freeing by one extra RCU GP, but that seems completely acceptable. Alternatively, we'd need more elaborate ways to determine BPF hook, BPF link, and BPF program lifetimes, and how they relate to each other, which seems like an unnecessary complication. Note, for most BPF links we still will perform eager bpf_prog_put() and link dealloc, so for those BPF links there are no observable changes whatsoever. Only BPF links that use deferred dealloc might notice slightly delayed freeing of BPF programs. Also, to reduce code and logic duplication, extract program put + link dealloc logic into bpf_link_dealloc() helper.

Reserved 2024-12-29 | Published 2025-01-08 | Updated 2025-01-08 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 5fe23c57abadfd46a7a66e81f3536e4757252a0b
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 2fcb921c2799c49ac5e365cf4110f94a64ae4885
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before f44ec8733a8469143fde1984b5e6931b2e2f6f3f
affected

Default status
affected

6.6.66
unaffected

6.12.5
unaffected

6.13-rc1
unaffected

References

git.kernel.org/...c/5fe23c57abadfd46a7a66e81f3536e4757252a0b

git.kernel.org/...c/2fcb921c2799c49ac5e365cf4110f94a64ae4885

git.kernel.org/...c/f44ec8733a8469143fde1984b5e6931b2e2f6f3f

cve.org (CVE-2024-56786)

nvd.nist.gov (CVE-2024-56786)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-56786

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.