CVE-2023-54173

Summary

In the Linux kernel, the following vulnerability has been resolved:

bpf: Disable preemption in bpf_event_output

We received report [1] of kernel crash, which is caused by using nesting protection without disabled preemption.

The bpf_event_output can be called by programs executed by bpf_prog_run_array_cg function that disabled migration but keeps preemption enabled.

This can cause task to be preempted by another one inside the nesting protection and lead eventually to two tasks using same perf_sample_data buffer and cause crashes like:

BUG: kernel NULL pointer dereference, address: 0000000000000001 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page … ? perf_output_sample+0x12a/0x9a0 ? finish_task_switch.isra.0+0x81/0x280 ? perf_event_output+0x66/0xa0 ? bpf_event_output+0x13a/0x190 ? bpf_event_output_data+0x22/0x40 ? bpf_prog_dfc84bbde731b257_cil_sock4_connect+0x40a/0xacb ? xa_load+0x87/0xe0 ? __cgroup_bpf_run_filter_sock_addr+0xc1/0x1a0 ? release_sock+0x3e/0x90 ? sk_setsockopt+0x1a1/0x12f0 ? udp_pre_connect+0x36/0x50 ? inet_dgram_connect+0x93/0xa0 ? __sys_connect+0xb4/0xe0 ? udp_setsockopt+0x27/0x40 ? __pfx_udp_push_pending_frames+0x10/0x10 ? __sys_setsockopt+0xdf/0x1a0 ? __x64_sys_connect+0xf/0x20 ? do_syscall_64+0x3a/0x90 ? entry_SYSCALL_64_after_hwframe+0x72/0xdc

Fixing this by disabling preemption in bpf_event_output.

[1] https://github.com/cilium/cilium/issues/26756

Affected Software

VendorProductVersion RangeStatus
LinuxLinux2a916f2f546ca1c1e3323e2a4269307f6d9890eb < 3048cb0dc0cc9dc74ed93690dffef00733bcad5baffected
LinuxLinux2a916f2f546ca1c1e3323e2a4269307f6d9890eb < c81bdf8f9f2b002d217c3d5357cdea9f2b82ff90affected
LinuxLinux2a916f2f546ca1c1e3323e2a4269307f6d9890eb < 36dd8ca330b76585640ed32255a3c99f901e1502affected
LinuxLinux2a916f2f546ca1c1e3323e2a4269307f6d9890eb < 063c9ce8e74e07bf94f99cd13146f42867875e8baffected
LinuxLinux2a916f2f546ca1c1e3323e2a4269307f6d9890eb < d62cc390c2e99ae267ffe4b8d7e2e08b6c758c32affected
LinuxLinux5.7affected
LinuxLinux0 < 5.7unaffected
LinuxLinux5.10.190 <= 5.10.*unaffected
LinuxLinux5.15.126 <= 5.15.*unaffected
LinuxLinux6.1.45 <= 6.1.*unaffected
LinuxLinux6.4.10 <= 6.4.*unaffected
LinuxLinux6.5 <= *unaffected

Weaknesses

References