CVE-2024-56592

Published: Dic 27, 2024 Last Modified: Ott 08, 2025 EU-VD ID: EUVD-2024-53240

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,5

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: none

Availability: high

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

bpf: Call free_htab_elem() after htab_unlock_bucket()

For htab of maps, when the map is removed from the htab, it may hold the
last reference of the map. bpf_map_fd_put_ptr() will invoke
bpf_map_free_id() to free the id of the removed map element. However,
bpf_map_fd_put_ptr() is invoked while holding a bucket lock
(raw_spin_lock_t), and bpf_map_free_id() attempts to acquire map_idr_lock
(spinlock_t), triggering the following lockdep warning:

=============================
[ BUG: Invalid wait context ]
6.11.0-rc4+ #49 Not tainted
-----------------------------
test_maps/4881 is trying to lock:
ffffffff84884578 (map_idr_lock){+...}-{3:3}, at: bpf_map_free_id.part.0+0x21/0x70
other info that might help us debug this:
context-{5:5}
2 locks held by test_maps/4881:
#0: ffffffff846caf60 (rcu_read_lock){....}-{1:3}, at: bpf_fd_htab_map_update_elem+0xf9/0x270
#1: ffff888149ced148 (&htab->lockdep_key#2){....}-{2:2}, at: htab_map_update_elem+0x178/0xa80
stack backtrace:
CPU: 0 UID: 0 PID: 4881 Comm: test_maps Not tainted 6.11.0-rc4+ #49
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), ...
Call Trace:
<TASK>
dump_stack_lvl+0x6e/0xb0
dump_stack+0x10/0x20
__lock_acquire+0x73e/0x36c0
lock_acquire+0x182/0x450
_raw_spin_lock_irqsave+0x43/0x70
bpf_map_free_id.part.0+0x21/0x70
bpf_map_put+0xcf/0x110
bpf_map_fd_put_ptr+0x9a/0xb0
free_htab_elem+0x69/0xe0
htab_map_update_elem+0x50f/0xa80
bpf_fd_htab_map_update_elem+0x131/0x270
htab_map_update_elem+0x50f/0xa80
bpf_fd_htab_map_update_elem+0x131/0x270
bpf_map_update_value+0x266/0x380
__sys_bpf+0x21bb/0x36b0
__x64_sys_bpf+0x45/0x60
x64_sys_call+0x1b2a/0x20d0
do_syscall_64+0x5d/0x100
entry_SYSCALL_64_after_hwframe+0x76/0x7e

One way to fix the lockdep warning is using raw_spinlock_t for
map_idr_lock as well. However, bpf_map_alloc_id() invokes
idr_alloc_cyclic() after acquiring map_idr_lock, it will trigger a
similar lockdep warning because the slab's lock (s->cpu_slab->lock) is
still a spinlock.

Instead of changing map_idr_lock's type, fix the issue by invoking
htab_put_fd_value() after htab_unlock_bucket(). However, only deferring
the invocation of htab_put_fd_value() is not enough, because the old map
pointers in htab of maps can not be saved during batched deletion.
Therefore, also defer the invocation of free_htab_elem(), so these
to-be-freed elements could be linked together similar to lru map.

There are four callers for ->map_fd_put_ptr:

(1) alloc_htab_elem() (through htab_put_fd_value())
It invokes ->map_fd_put_ptr() under a raw_spinlock_t. The invocation of
htab_put_fd_value() can not simply move after htab_unlock_bucket(),
because the old element has already been stashed in htab->extra_elems.
It may be reused immediately after htab_unlock_bucket() and the
invocation of htab_put_fd_value() after htab_unlock_bucket() may release
the newly-added element incorrectly. Therefore, saving the map pointer
of the old element for htab of maps before unlocking the bucket and
releasing the map_ptr after unlock. Beside the map pointer in the old
element, should do the same thing for the special fields in the old
element as well.

(2) free_htab_elem() (through htab_put_fd_value())
Its caller includes __htab_map_lookup_and_delete_elem(),
htab_map_delete_elem() and __htab_map_lookup_and_delete_batch().

For htab_map_delete_elem(), simply invoke free_htab_elem() after
htab_unlock_bucket(). For __htab_map_lookup_and_delete_batch(), just
like lru map, linking the to-be-freed element into node_to_free list
and invoking free_htab_elem() for these element after unlock. It is safe
to reuse batch_flink as the link for node_to_free, because these
elements have been removed from the hash llist.

Because htab of maps doesn't support lookup_and_delete operation,
__htab_map_lookup_and_delete_elem() doesn't have the problem, so kept
it as
---truncated---

AI Generated Translation

Nel kernel Linux, è stata risolta la seguente vulnerabilità:

bpf: Call free_htab_elem() dopo htab_unlock_bucket()

Per gli htab delle mappe, quando la mappa viene rimossa dall'htab, potrebbe mantenere l'ultimo riferimento alla mappa stessa. La funzione bpf_map_fd_put_ptr() invoca bpf_map_free_id() per liberare l'id dell'elemento mappa rimosso. Tuttavia, bpf_map_fd_put_ptr() viene chiamata mentre si detiene un lock sul bucket (raw_spin_lock_t), e bpf_map_free_id() tenta di acquisire il lock map_idr_lock (spinlock_t), generando il seguente warning di lockdep:

=============================
[ BUG: Invalid wait context ]
6.11.0-rc4+ #49 Not tainted
-----------------------------
test_maps/4881 sta cercando di bloccare:
ffffffff84884578 (map_idr_lock){+...}-{3:3}, at: bpf_map_free_id.part.0+0x21/0x70
altre info utili per il debug:
contesto-{5:5}
2 lock già detenuti da test_maps/4881:
#0: ffffffff846caf60 (rcu_read_lock){....}-{1:3}, at: bpf_fd_htab_map_update_elem+0xf9/0x270
#1: ffff888149ced148 (&htab->lockdep_key#2){....}-{2:2}, at: htab_map_update_elem+0x178/0xa80
traccia dello stack:
CPU: 0 UID: 0 PID: 4881 Comm: test_maps Not tainted 6.11.0-rc4+ #49
Nome hardware: QEMU Standard PC (i440FX + PIIX, 1996), ...
Call Trace:
<TASK>
dump_stack_lvl+0x6e/0xb0
dump_stack+0x10/0x20
__lock_acquire+0x73e/0x36c0
lock_acquire+0x182/0x450
_raw_spin_lock_irqsave+0x43/0x70
bpf_map_free_id.part.0+0x21/0x70
bpf_map_put+0xcf/0x110
bpf_map_fd_put_ptr+0x9a/0xb0
free_htab_elem+0x69/0xe0
htab_map_update_elem+0x50f/0xa80
bpf_fd_htab_map_update_elem+0x131/0x270
htab_map_update_elem+0x50f/0xa80
bpf_fd_htab_map_update_elem+0x131/0x270
bpf_map_update_value+0x266/0x380
__sys_bpf+0x21bb/0x36b0
__x64_sys_bpf+0x45/0x60
x64_sys_call+0x1b2a/0x20d0
do_syscall_64+0x5d/0x100
entry_SYSCALL_64_after_hwframe+0x76/0x7e

Un modo per risolvere il warning di lockdep è usare raw_spinlock_t anche per map_idr_lock. Tuttavia, poiché bpf_map_alloc_id() invoca idr_alloc_cyclic() dopo aver acquisito map_idr_lock, si genera un warning simile perché il lock dello slab (s->cpu_slab->lock) rimane uno spinlock.

Invece di modificare il tipo di map_idr_lock, si può risolvere il problema chiamando htab_put_fd_value() dopo htab_unlock_bucket(). Tuttavia, limitare la chiamata a htab_put_fd_value() non è sufficiente, perché i puntatori alle vecchie mappe in htab delle mappe non possono essere salvati durante la cancellazione batch. Pertanto, si deve anche posticipare l'invocazione di free_htab_elem(), in modo che gli elementi da liberare possano essere collegati tra loro in modo simile a lru map.

Ci sono quattro chiamanti per ->map_fd_put_ptr:

(1) alloc_htab_elem() (tramite htab_put_fd_value())
Invoca ->map_fd_put_ptr() sotto un raw_spinlock_t. La chiamata a htab_put_fd_value() non può semplicemente spostarsi dopo htab_unlock_bucket(), perché l'elemento vecchio è già stato memorizzato in htab->extra_elems. Potrebbe essere riutilizzato immediatamente dopo htab_unlock_bucket() e chiamare htab_put_fd_value() dopo htab_unlock_bucket() potrebbe erroneamente rilasciare l'elemento appena aggiunto. Pertanto, si deve salvare il puntatore alla mappa dell'elemento vecchio prima di sbloccare il bucket, e rilasciare il puntatore alla mappa dopo l'unlock. Oltre al puntatore alla mappa nell'elemento vecchio, si deve fare lo stesso anche per i campi speciali dell'elemento stesso.

(2) free_htab_elem() (tramite htab_put_fd_value())
I suoi chiamanti includono __htab_map_lookup_and_delete_elem(), htab_map_delete_elem() e __htab_map_lookup_and_delete_batch().

Per htab_map_delete_elem(), basta chiamare free_htab_elem() dopo htab_unlock_bucket(). Per __htab_map_lookup_and_delete_batch(), come per lru map, si collega l'elemento da liberare alla lista node_to_free e si invoca free_htab_elem() per questi elementi dopo l'unlock. È sicuro riutilizzare batch_flink come link per node_to_free, perché questi elementi sono stati rimossi dalla lista hash.

Poiché l'htab delle mappe non supporta operazioni di lookup_and_delete, __htab_map_lookup_and_delete_elem() non presenta il problema, quindi è mantenuto così come è.
---troncato---

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0003

Percentile

0,1th

Updated

EPSS Score Trend (Last 90 Days)

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version Range Affected

From 6.7 (inclusive)

To 6.12.5 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version Range Affected

From 4.13 (inclusive)

To 6.6.66 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://git.kernel.org/stable/c/10e8a2dec9ff1b81de8e892b085…

https://git.kernel.org/stable/c/10e8a2dec9ff1b81de8e892b0850924038adbc6d

https://git.kernel.org/stable/c/a50b4aa3007e63a590d501341f3…

https://git.kernel.org/stable/c/a50b4aa3007e63a590d501341f304676ebc74b3b

https://git.kernel.org/stable/c/b9e9ed90b10c82a4e9d4d70a289…

https://git.kernel.org/stable/c/b9e9ed90b10c82a4e9d4d70a2890f06bfcdd3b78

CVE-2024-56592

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 90 Days)

Linux Kernel by Linux

Product Information

Linux Kernel by Linux

Product Information

Iscriviti alla newsletter