From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 83A7C14E2FB for ; Thu, 22 Feb 2024 16:22:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708618935; cv=none; b=GQ24fOsE+OdNVt+CHRmrnYgpRuR/xx3VCz0aTuDRzCp/BDHdkE4NPw/Uhj0WfvFMNqZ2YMbUQYK32p5FgNPywUAX4AQ5a/ZH7/haQcXO7643MbKhBp2zHnKyBaK50cLV1UH63JCI61AIdfDg3vmoERVoBmlamuct/tkBZq/3QqY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708618935; c=relaxed/simple; bh=vQQkRaX2WjPleaa96J7ZALachqtJAUJbiTvRQdw8ibg=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=UIriE6zwmuxUPp+YcLC0nAXuko3qHUjCxCxK9XQITek/sPwLArLE5PEIU5BIsUVCHFCKyOnZzqZ5QUVfkD/DZBgdjk2cvZ0MewO7sTWlRJTaZQL6rgcP0itY3Ydbe8v0i47RgT2SaaLmXU54tzv/+HnuO1AxQ1lSGNbhDz/M6Zc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=J6RLiepm; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="J6RLiepm" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 98419C433F1; Thu, 22 Feb 2024 16:22:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1708618935; bh=vQQkRaX2WjPleaa96J7ZALachqtJAUJbiTvRQdw8ibg=; h=From:To:Cc:Subject:Date:Reply-to:From; b=J6RLiepmddi3luGcOekSbpZda0q5QaQjEP8EjXCLA1uO0c/MmM1Gi1zqeGS7A8+hO 91efhm5pTPV3NJRr56fp+9iQlpyfVvSfz0OLAQ83AB5GkfWcASUaT+c6DEIQgjmi9O IKYp1kLvLPNwqXV6EGre0meYYdRJe7yDOFugFCLU= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2023-52447: bpf: Defer the free of inner map when necessary Date: Thu, 22 Feb 2024 17:21:55 +0100 Message-ID: <2024022255-CVE-2023-52447-e074@gregkh> X-Mailer: git-send-email 2.43.2 Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=3119; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=vQQkRaX2WjPleaa96J7ZALachqtJAUJbiTvRQdw8ibg=; b=owGbwMvMwCRo6H6F97bub03G02pJDKnXSxYf6mNjZMy+8nnyMi7HyrydNpe2tZT9ib87/xKX8 XaD/NKEjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZgIjx3DHE7Rwmc+f1wPaEbP Csv55ffPx8JEj2FB96K4ruP9Sm7nLq4OvZXWrSr2YM5uAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit Description =========== In the Linux kernel, the following vulnerability has been resolved: bpf: Defer the free of inner map when necessary When updating or deleting an inner map in map array or map htab, the map may still be accessed by non-sleepable program or sleepable program. However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map directly through bpf_map_put(), if the ref-counter is the last one (which is true for most cases), the inner map will be freed by ops->map_free() in a kworker. But for now, most .map_free() callbacks don't use synchronize_rcu() or its variants to wait for the elapse of a RCU grace period, so after the invocation of ops->map_free completes, the bpf program which is accessing the inner map may incur use-after-free problem. Fix the free of inner map by invoking bpf_map_free_deferred() after both one RCU grace period and one tasks trace RCU grace period if the inner map has been removed from the outer map before. The deferment is accomplished by using call_rcu() or call_rcu_tasks_trace() when releasing the last ref-counter of bpf map. The newly-added rcu_head field in bpf_map shares the same storage space with work field to reduce the size of bpf_map. The Linux kernel CVE team has assigned CVE-2023-52447 to this issue. Affected and fixed versions =========================== Issue introduced in 5.9 with commit 638e4b825d52 and fixed in 6.1.75 with commit 62fca83303d6 Issue introduced in 5.9 with commit 638e4b825d52 and fixed in 6.6.14 with commit f91cd728b10c Issue introduced in 5.9 with commit 638e4b825d52 and fixed in 6.7.2 with commit bfd9b20c4862 Issue introduced in 5.9 with commit 638e4b825d52 and fixed in 6.8-rc1 with commit 876673364161 Please see https://www.kernel.org or a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-52447 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: include/linux/bpf.h kernel/bpf/map_in_map.c kernel/bpf/syscall.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/62fca83303d608ad4fec3f7428c8685680bb01b0 https://git.kernel.org/stable/c/f91cd728b10c51f6d4a39957ccd56d1e802fc8ee https://git.kernel.org/stable/c/bfd9b20c4862f41d4590fde11d70a5eeae53dcc5 https://git.kernel.org/stable/c/876673364161da50eed6b472d746ef88242b2368