CVE-2024-58060

Summary

In the Linux kernel, the following vulnerability has been resolved:

bpf: Reject struct_ops registration that uses module ptr and the module btf_id is missing

There is a UAF report in the bpf_struct_ops when CONFIG_MODULES=n. In particular, the report is on tcp_congestion_ops that has a "struct module *owner" member.

For struct_ops that has a "struct module *owner" member, it can be extended either by the regular kernel module or by the bpf_struct_ops. bpf_try_module_get() will be used to do the refcounting and different refcount is done based on the owner pointer. When CONFIG_MODULES=n, the btf_id of the "struct module" is missing:

WARN: resolve_btfids: unresolved symbol module

Thus, the bpf_try_module_get() cannot do the correct refcounting.

Not all subsystem's struct_ops requires the "struct module *owner" member. e.g. the recent sched_ext_ops.

This patch is to disable bpf_struct_ops registration if the struct_ops has the "struct module *" member and the "struct module" btf_id is missing. The btf_type_is_fwd() helper is moved to the btf.h header file for this test.

This has happened since the beginning of bpf_struct_ops which has gone through many changes. The Fixes tag is set to a recent commit that this patch can apply cleanly. Considering CONFIG_MODULES=n is not common and the age of the issue, targeting for bpf-next also.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1611603537a4b88cec7993f32b70c03113801a46 < b777b14c2a4a4e2322daf8e8ffd42d2b88831b17affected
LinuxLinux1611603537a4b88cec7993f32b70c03113801a46 < 2324fb4e92092837ee278fdd8d60c48ee1a619ceaffected
LinuxLinux1611603537a4b88cec7993f32b70c03113801a46 < 96ea081ed52bf077cad6d00153b6fba68e510767affected
LinuxLinux6.9affected
LinuxLinux0 < 6.9unaffected
LinuxLinux6.12.13 <= 6.12.*unaffected
LinuxLinux6.13.2 <= 6.13.*unaffected
LinuxLinux6.14 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References