From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA46C2BB0A
	for <linux-cve-announce@vger.kernel.org>; Sat,  2 Mar 2024 21:54:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1709416464; cv=none; b=nA+1iDspDrwPNH/w9ce4i5ghEyZStzl7lLcrNJudTuHuLvjxX1rkkc2Kh1fMdSWiWNTLkEMLhdb2M2561norvqDqJxvyHpRqiVPe4Miw0VgItt2RdX6a377s+b8h21Y4hDX6H7SfBrt9LSC8f+VVSeNas9xi5RCVjhZRujaa0XY=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1709416464; c=relaxed/simple;
	bh=dW2VYpklwW29lEv1QOYa0igNpVDItMkCo0CXEK9r9+I=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=cUsiC+yOBhxqSfoOgAVNRuQaE1VRinrQM3wDZP0LdgWEumsmBo8OMrFEmH2Gx2XDQ2NbCkLVmfCwDawzzWo5ClxPwZdhjyWAIhb/QtVeGR20cpJmY0G7SdYlqDJ9ZYCAffjGIC8VJ7JydA6AQXzVnYsFs4pyXo0LOeqjLknX4Ow=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=VVvi0LNM; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="VVvi0LNM"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4F9F3C433F1;
	Sat,  2 Mar 2024 21:54:24 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
	s=korg; t=1709416464;
	bh=dW2VYpklwW29lEv1QOYa0igNpVDItMkCo0CXEK9r9+I=;
	h=From:To:Cc:Subject:Date:Reply-to:From;
	b=VVvi0LNMFKsktURN1pQoPqXIy4emy3ZpKCOS0ayuQwZ7CZeDwBFO3N36dia9gh9Ac
	 ccRfIDf5kFVlrE4tSYsfd6EIaNsegTGo8lqmY+MvdJoAz7pr+G8ud5yH+1vbdpbW3y
	 h6LtppYSq1QgOoQUc79oO0M4mKZLx81etN6zkJpo=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-cve-announce@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: CVE-2023-52521: bpf: Annotate bpf_long_memcpy with data_race
Date: Sat,  2 Mar 2024 22:53:05 +0100
Message-ID: <2024030253-CVE-2023-52521-d847@gregkh>
X-Mailer: git-send-email 2.44.0
Precedence: bulk
X-Mailing-List: linux-cve-announce@vger.kernel.org
List-Id: <linux-cve-announce.vger.kernel.org>
List-Subscribe: <mailto:linux-cve-announce+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-cve-announce+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
X-Developer-Signature: v=1; a=openpgp-sha256; l=3979; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=dW2VYpklwW29lEv1QOYa0igNpVDItMkCo0CXEK9r9+I=; b=owGbwMvMwCRo6H6F97bub03G02pJDKmP5299sGZrXMO2xtX6xb48wu5i+683tW3aF66ULj7bg GPK9M+XO2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiE0QZ5rv+MikRqGxy2Jak 5px8YoEXe1/eHYbZrFsmMzxgNJF6eC97n96ZBiHDnKC/AA==
X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29
Content-Transfer-Encoding: 8bit

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

bpf: Annotate bpf_long_memcpy with data_race

syzbot reported a data race splat between two processes trying to
update the same BPF map value via syscall on different CPUs:

  BUG: KCSAN: data-race in bpf_percpu_array_update / bpf_percpu_array_update

  write to 0xffffe8fffe7425d8 of 8 bytes by task 8257 on cpu 1:
   bpf_long_memcpy include/linux/bpf.h:428 [inline]
   bpf_obj_memcpy include/linux/bpf.h:441 [inline]
   copy_map_value_long include/linux/bpf.h:464 [inline]
   bpf_percpu_array_update+0x3bb/0x500 kernel/bpf/arraymap.c:380
   bpf_map_update_value+0x190/0x370 kernel/bpf/syscall.c:175
   generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1749
   bpf_map_do_batch+0x2df/0x3d0 kernel/bpf/syscall.c:4648
   __sys_bpf+0x28a/0x780
   __do_sys_bpf kernel/bpf/syscall.c:5241 [inline]
   __se_sys_bpf kernel/bpf/syscall.c:5239 [inline]
   __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5239
   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
   do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
   entry_SYSCALL_64_after_hwframe+0x63/0xcd

  write to 0xffffe8fffe7425d8 of 8 bytes by task 8268 on cpu 0:
   bpf_long_memcpy include/linux/bpf.h:428 [inline]
   bpf_obj_memcpy include/linux/bpf.h:441 [inline]
   copy_map_value_long include/linux/bpf.h:464 [inline]
   bpf_percpu_array_update+0x3bb/0x500 kernel/bpf/arraymap.c:380
   bpf_map_update_value+0x190/0x370 kernel/bpf/syscall.c:175
   generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1749
   bpf_map_do_batch+0x2df/0x3d0 kernel/bpf/syscall.c:4648
   __sys_bpf+0x28a/0x780
   __do_sys_bpf kernel/bpf/syscall.c:5241 [inline]
   __se_sys_bpf kernel/bpf/syscall.c:5239 [inline]
   __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5239
   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
   do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
   entry_SYSCALL_64_after_hwframe+0x63/0xcd

  value changed: 0x0000000000000000 -> 0xfffffff000002788

The bpf_long_memcpy is used with 8-byte aligned pointers, power-of-8 size
and forced to use long read/writes to try to atomically copy long counters.
It is best-effort only and no barriers are here since it _will_ race with
concurrent updates from BPF programs. The bpf_long_memcpy() is called from
bpf(2) syscall. Marco suggested that the best way to make this known to
KCSAN would be to use data_race() annotation.

The Linux kernel CVE team has assigned CVE-2023-52521 to this issue.


Affected and fixed versions
===========================

	Fixed in 6.1.56 with commit 5685f8a6fae1
	Fixed in 6.5.6 with commit e562de67dc91
	Fixed in 6.6 with commit 6a86b5b5cd76

Please see https://www.kernel.org or a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52521
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	include/linux/bpf.h


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/5685f8a6fae1fbe480493b980a1fdbe67c86a094
	https://git.kernel.org/stable/c/e562de67dc9196f2415f117796a2108c00ac7fc6
	https://git.kernel.org/stable/c/6a86b5b5cd76d2734304a0173f5f01aa8aa2025e