In the Linux kernel, the following vulnerability has been resolved: bpf,
sockmap: Prevent lock inversion deadlock in map delete elem syzkaller
started using corpuses where a BPF tracing program deletes elements from a
sockmap/sockhash map. Because BPF tracing programs can be invoked from any
interrupt context, locks taken during a map_delete_elem operation must be
hardirq-safe. Otherwise a deadlock due to lock inversion is possible, as
reported by lockdep: CPU0 CPU1 ---- ---- lock(&htab->buckets[i].lock);
local_irq_disable(); lock(&host->lock); lock(&htab->buckets[i].lock);
<Interrupt> lock(&host->lock); Locks in sockmap are hardirq-unsafe by
design. We expects elements to be deleted from sockmap/sockhash only in
task (normal) context with interrupts enabled, or in softirq context.
Detect when map_delete_elem operation is invoked from a context which is
not hardirq-unsafe, that is interrupts are disabled, and bail out with an
error. Note that map updates are not affected by this issue. BPF verifier
does not allow updating sockmap/sockhash from a BPF tracing program today.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 14.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 16.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
git.kernel.org/linus/ff91059932401894e6c86341915615c5eb0eca48 (6.9-rc3)
git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86
git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd
git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5
git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec
git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75
git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058
git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48
launchpad.net/bugs/cve/CVE-2024-35895
nvd.nist.gov/vuln/detail/CVE-2024-35895
security-tracker.debian.org/tracker/CVE-2024-35895
www.cve.org/CVERecord?id=CVE-2024-35895