CVE-2023-54283
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Address KCSAN report on bpf_lru_list
KCSAN reported a data-race when accessing node->ref. Although node->ref does not have to be accurate, take this chance to use a more common READ_ONCE() and WRITE_ONCE() pattern instead of data_race().
There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref(). This patch also adds bpf_lru_node_clear_ref() to do the WRITE_ONCE(node->ref, 0) also.
================================================================== BUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem
write to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1: __bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline] __bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline] __bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240 bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline] bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] bpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499 prealloc_lru_pop kernel/bpf/hashtab.c:290 [inline] __htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316 bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 __sys_bpf+0x338/0x810 __do_sys_bpf kernel/bpf/syscall.c:5096 [inline] __se_sys_bpf kernel/bpf/syscall.c:5094 [inline] __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
read to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0: bpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline] __htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332 bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 __sys_bpf+0x338/0x810 __do_sys_bpf kernel/bpf/syscall.c:5096 [inline] __se_sys_bpf kernel/bpf/syscall.c:5094 [inline] __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0x01 -> 0x00
Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 3a08c2fd763450a927d1130de078d6f9e74944fb < 6eaef1b1d8720053eb1b6e7a3ff8b2ff0716bb90 | affected |
| Linux | Linux | 3a08c2fd763450a927d1130de078d6f9e74944fb < a89d14410ea0352420f03cddc67e0002dcc8f9a5 | affected |
| Linux | Linux | 3a08c2fd763450a927d1130de078d6f9e74944fb < e09a285ea1e859d4cc6cb689d8d5d7c1f7c7c0d5 | affected |
| Linux | Linux | 3a08c2fd763450a927d1130de078d6f9e74944fb < b6d9a4062c944ad095b34dc112bf646a84156f60 | affected |
| Linux | Linux | 3a08c2fd763450a927d1130de078d6f9e74944fb < 819ca25444b377935faa2dbb0aa3547519b5c80f | affected |
| Linux | Linux | 3a08c2fd763450a927d1130de078d6f9e74944fb < c006fe361cfd947f51a56793deddf891e5cbfef8 | affected |
| Linux | Linux | 3a08c2fd763450a927d1130de078d6f9e74944fb < 6e5e83b56f50fbd1c8f7dca7df7d72c67be25571 | affected |
| Linux | Linux | 3a08c2fd763450a927d1130de078d6f9e74944fb < ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4 | affected |
| Linux | Linux | 4.10 | affected |
| Linux | Linux | 0 < 4.10 | unaffected |
| Linux | Linux | 4.14.322 <= 4.14.* | unaffected |
| Linux | Linux | 4.19.291 <= 4.19.* | unaffected |
| Linux | Linux | 5.4.251 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.188 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.150 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.42 <= 6.1.* | unaffected |
| Linux | Linux | 6.4.7 <= 6.4.* | unaffected |
| Linux | Linux | 6.5 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/6eaef1b1d8720053eb1b6e7a3ff8b2ff0716bb90
- https://git.kernel.org/stable/c/a89d14410ea0352420f03cddc67e0002dcc8f9a5
- https://git.kernel.org/stable/c/e09a285ea1e859d4cc6cb689d8d5d7c1f7c7c0d5
- https://git.kernel.org/stable/c/b6d9a4062c944ad095b34dc112bf646a84156f60
- https://git.kernel.org/stable/c/819ca25444b377935faa2dbb0aa3547519b5c80f
- https://git.kernel.org/stable/c/c006fe361cfd947f51a56793deddf891e5cbfef8
- https://git.kernel.org/stable/c/6e5e83b56f50fbd1c8f7dca7df7d72c67be25571
- https://git.kernel.org/stable/c/ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.