cve-2024-35895
Vulnerability from cvelistv5
Published
2024-05-19 08:34
Modified
2024-12-19 08:57
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Prevent lock inversion deadlock in map delete elem syzkaller started using corpuses where a BPF tracing program deletes elements from a sockmap/sockhash map. Because BPF tracing programs can be invoked from any interrupt context, locks taken during a map_delete_elem operation must be hardirq-safe. Otherwise a deadlock due to lock inversion is possible, as reported by lockdep: CPU0 CPU1 ---- ---- lock(&htab->buckets[i].lock); local_irq_disable(); lock(&host->lock); lock(&htab->buckets[i].lock); <Interrupt> lock(&host->lock); Locks in sockmap are hardirq-unsafe by design. We expects elements to be deleted from sockmap/sockhash only in task (normal) context with interrupts enabled, or in softirq context. Detect when map_delete_elem operation is invoked from a context which is _not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an error. Note that map updates are not affected by this issue. BPF verifier does not allow updating sockmap/sockhash from a BPF tracing program today.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/913c30f827e17d8cda1da6eeb990f350d36cb69b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
Impacted products
Vendor Product Version
Linux Linux Version: 4.20
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35895",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-23T19:25:39.256006Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:34:48.419Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:21:48.577Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/sock_map.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f7990498b05ac41f7d6a190dc0418ef1d21bf058",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "dd54b48db0c822ae7b520bc80751f0a0a173ef75",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "a44770fed86515eedb5a7c00b787f847ebb134a5",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "668b3074aa14829e2ac2759799537a93b60fef86",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "913c30f827e17d8cda1da6eeb990f350d36cb69b",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "6af057ccdd8e7619960aca1f0428339f213b31cd",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "ff91059932401894e6c86341915615c5eb0eca48",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/sock_map.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.274",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.215",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.154",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.48",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Prevent lock inversion deadlock in map delete elem\n\nsyzkaller started using corpuses where a BPF tracing program deletes\nelements from a sockmap/sockhash map. Because BPF tracing programs can be\ninvoked from any interrupt context, locks taken during a map_delete_elem\noperation must be hardirq-safe. Otherwise a deadlock due to lock inversion\nis possible, as reported by lockdep:\n\n       CPU0                    CPU1\n       ----                    ----\n  lock(\u0026htab-\u003ebuckets[i].lock);\n                               local_irq_disable();\n                               lock(\u0026host-\u003elock);\n                               lock(\u0026htab-\u003ebuckets[i].lock);\n  \u003cInterrupt\u003e\n    lock(\u0026host-\u003elock);\n\nLocks in sockmap are hardirq-unsafe by design. We expects elements to be\ndeleted from sockmap/sockhash only in task (normal) context with interrupts\nenabled, or in softirq context.\n\nDetect when map_delete_elem operation is invoked from a context which is\n_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an\nerror.\n\nNote that map updates are not affected by this issue. BPF verifier does not\nallow updating sockmap/sockhash from a BPF tracing program today."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:57:45.275Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86"
        },
        {
          "url": "https://git.kernel.org/stable/c/913c30f827e17d8cda1da6eeb990f350d36cb69b"
        },
        {
          "url": "https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48"
        }
      ],
      "title": "bpf, sockmap: Prevent lock inversion deadlock in map delete elem",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-35895",
    "datePublished": "2024-05-19T08:34:50.276Z",
    "dateReserved": "2024-05-17T13:50:33.113Z",
    "dateUpdated": "2024-12-19T08:57:45.275Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-35895\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-19T09:15:10.477\",\"lastModified\":\"2024-11-21T09:21:08.920\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf, sockmap: Prevent lock inversion deadlock in map delete elem\\n\\nsyzkaller started using corpuses where a BPF tracing program deletes\\nelements from a sockmap/sockhash map. Because BPF tracing programs can be\\ninvoked from any interrupt context, locks taken during a map_delete_elem\\noperation must be hardirq-safe. Otherwise a deadlock due to lock inversion\\nis possible, as reported by lockdep:\\n\\n       CPU0                    CPU1\\n       ----                    ----\\n  lock(\u0026htab-\u003ebuckets[i].lock);\\n                               local_irq_disable();\\n                               lock(\u0026host-\u003elock);\\n                               lock(\u0026htab-\u003ebuckets[i].lock);\\n  \u003cInterrupt\u003e\\n    lock(\u0026host-\u003elock);\\n\\nLocks in sockmap are hardirq-unsafe by design. We expects elements to be\\ndeleted from sockmap/sockhash only in task (normal) context with interrupts\\nenabled, or in softirq context.\\n\\nDetect when map_delete_elem operation is invoked from a context which is\\n_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an\\nerror.\\n\\nNote that map updates are not affected by this issue. BPF verifier does not\\nallow updating sockmap/sockhash from a BPF tracing program today.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf, sockmap: Evitar el punto muerto de inversi\u00f3n de bloqueo en la eliminaci\u00f3n del mapa elem syzkaller comenz\u00f3 a usar corpus donde un programa de seguimiento BPF elimina elementos de un mapa sockmap/sockhash. Debido a que los programas de seguimiento BPF se pueden invocar desde cualquier contexto de interrupci\u00f3n, los bloqueos realizados durante una operaci\u00f3n map_delete_elem deben ser seguros. De lo contrario, es posible que se produzca un punto muerto debido a la inversi\u00f3n del bloqueo, como lo informa lockdep: CPU0 CPU1 ---- ---- lock(\u0026amp;htab-\u0026gt;buckets[i].lock); local_irq_disable(); bloquear(\u0026amp;host-\u0026gt;bloquear); lock(\u0026amp;htab-\u0026gt;cubos[i].lock);  bloqueo(\u0026amp;host-\u0026gt;bloqueo); Los bloqueos en sockmap son dif\u00edciles de inseguro por dise\u00f1o. Esperamos que los elementos se eliminen de sockmap/sockhash solo en el contexto de la tarea (normal) con las interrupciones habilitadas o en el contexto de softirq. Detecta cu\u00e1ndo se invoca la operaci\u00f3n map_delete_elem desde un contexto que _no_ es hardirq-inseguro, es decir, las interrupciones est\u00e1n deshabilitadas y sale con un error. Tenga en cuenta que las actualizaciones de mapas no se ven afectadas por este problema. El verificador de BPF no permite actualizar sockmap/sockhash desde un programa de seguimiento de BPF en la actualidad.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/913c30f827e17d8cda1da6eeb990f350d36cb69b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.