CVE - CVE-2024-26737

CVE-ID
CVE-2024-26737	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel The following race is possible between bpf_timer_cancel_and_free and bpf_timer_cancel. It will lead a UAF on the timer->timer. bpf_timer_cancel(); spin_lock(); t = timer->time; spin_unlock(); bpf_timer_cancel_and_free(); spin_lock(); t = timer->timer; timer->timer = NULL; spin_unlock(); hrtimer_cancel(&t->timer); kfree(t); /* UAF on t */ hrtimer_cancel(&t->timer); In bpf_timer_cancel_and_free, this patch frees the timer->timer after a rcu grace period. This requires a rcu_head addition to the "struct bpf_hrtimer". Another kfree(t) happens in bpf_timer_init, this does not need a kfree_rcu because it is still under the spin_lock and timer->timer has not been visible by others yet. In bpf_timer_cancel, rcu_read_lock() is added because this helper can be used in a non rcu critical section context (e.g. from a sleepable bpf prog). Other timer->timer usages in helpers.c have been audited, bpf_timer_cancel() is the only place where timer->timer is used outside of the spin_lock. Another solution considered is to mark a t->flag in bpf_timer_cancel and clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free, it busy waits for the flag to be cleared before kfree(t). This patch goes with a straight forward solution and frees timer->timer after a rcu grace period.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f URL:https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f MISC:https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c URL:https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c MISC:https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33 URL:https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33 MISC:https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6 URL:https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6 MISC:https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5 URL:https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5
Assigning CNA
kernel.org
Date Record Created
20240219	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240219)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)