CVE-2023-54303

Summary

In the Linux kernel, the following vulnerability has been resolved:

bpf: Disable preemption in bpf_perf_event_output

The nesting protection in bpf_perf_event_output relies on disabled preemption, which is guaranteed for kprobes and tracepoints.

However bpf_perf_event_output can be also called from uprobes context through bpf_prog_run_array_sleepable function which disables migration, but keeps preemption enabled.

This can cause task to be preempted by another one inside the nesting protection and lead eventually to two tasks using same perf_sample_data buffer and cause crashes like:

kernel tried to execute NX-protected page - exploit attempt? (uid: 0) BUG: unable to handle page fault for address: ffffffff82be3eea … Call Trace: ? __die+0x1f/0x70 ? page_fault_oops+0x176/0x4d0 ? exc_page_fault+0x132/0x230 ? asm_exc_page_fault+0x22/0x30 ? perf_output_sample+0x12b/0x910 ? perf_event_output+0xd0/0x1d0 ? bpf_perf_event_output+0x162/0x1d0 ? bpf_prog_c6271286d9a4c938_krava1+0x76/0x87 ? __uprobe_perf_func+0x12b/0x540 ? uprobe_dispatcher+0x2c4/0x430 ? uprobe_notify_resume+0x2da/0xce0 ? atomic_notifier_call_chain+0x7b/0x110 ? exit_to_user_mode_prepare+0x13e/0x290 ? irqentry_exit_to_user_mode+0x5/0x30 ? asm_exc_int3+0x35/0x40

Fixing this by disabling preemption in bpf_perf_event_output.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9 < 3654ed5daf492463c3faa434c7000d45c2da2aceaffected
LinuxLinux8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9 < a0ac32cf61e5a76e2429e486925a52ee41dd75e3affected
LinuxLinux8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9 < f2c67a3e60d1071b65848efaa8c3b66c363dd025affected
LinuxLinux6.0affected
LinuxLinux0 < 6.0unaffected
LinuxLinux6.1.45 <= 6.1.*unaffected
LinuxLinux6.4.10 <= 6.4.*unaffected
LinuxLinux6.5 <= *unaffected

Weaknesses

References