CyberCodex

CVE-2024-35895

Published at:

2024-05-19T09:15:10.477

Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Global infos:

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Prevent lock inversion deadlock in map delete elem syzkaller started using corpuses where a BPF tracing program deletes elements from a sockmap/sockhash map. Because BPF tracing programs can be invoked from any interrupt context, locks taken during a map_delete_elem operation must be hardirq-safe. Otherwise a deadlock due to lock inversion is possible, as reported by lockdep: CPU0 CPU1 ---- ---- lock(&htab->buckets[i].lock); local_irq_disable(); lock(&host->lock); lock(&htab->buckets[i].lock); lock(&host->lock); Locks in sockmap are hardirq-unsafe by design. We expects elements to be deleted from sockmap/sockhash only in task (normal) context with interrupts enabled, or in softirq context. Detect when map_delete_elem operation is invoked from a context which is _not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an error. Note that map updates are not affected by this issue. BPF verifier does not allow updating sockmap/sockhash from a BPF tracing program today.

CVE Status: Analyzed

References:

416baaa9-dc9f-4396-8d5f-8c081fb06d67

af854a3a-2127-422b-91ae-364da2661108

Metrics:

Attribute	Value
Attack Complexity	LOW
Attack Vector	LOCAL
Availability Impact	HIGH
Base Score	5.5
Base Severity	MEDIUM
Confidentiality Impact	NONE
Integrity Impact	NONE
Privileges Required	LOW
Scope	UNCHANGED
User Interaction	NONE
Vector String	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Exploitability Score	1.8
Impact Score	3.6
Source	[email protected]
Type	Primary

Links:

Exploit-db
Github