CVE-2024-26737
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel The following race is possible between bpf_timer_cancel_and_free and bpf_timer_cancel. It will lead a UAF on the timer->timer. bpf_timer_cancel(); spin_lock(); t = timer->time; spin_unlock(); bpf_timer_cancel_and_free(); spin_lock(); t = timer->timer; timer->timer = NULL; spin_unlock(); hrtimer_cancel(&t->timer); kfree(t); /* UAF on t */ hrtimer_cancel(&t->timer); In bpf_timer_cancel_and_free, this patch frees the timer->timer after a rcu grace period. This requires a rcu_head addition to the "struct bpf_hrtimer". Another kfree(t) happens in bpf_timer_init, this does not need a kfree_rcu because it is still under the spin_lock and timer->timer has not been visible by others yet. In bpf_timer_cancel, rcu_read_lock() is added because this helper can be used in a non rcu critical section context (e.g. from a sleepable bpf prog). Other timer->timer usages in helpers.c have been audited, bpf_timer_cancel() is the only place where timer->timer is used outside of the spin_lock. Another solution considered is to mark a t->flag in bpf_timer_cancel and clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free, it busy waits for the flag to be cleared before kfree(t). This patch goes with a straight forward solution and frees timer->timer after a rcu grace period.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rhel | 9 | fixed | |
| sles | affected | | |
| rocky | 9 | fixed | |
| debian | bookworm | fixed | 6.1.82-1 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 6.7.7-1 |
| debian | sid | fixed | 6.7.7-1 |
| debian | trixie | fixed | 6.7.7-1 |
| almalinux | 9 | fixed | kernel-64k-debug-devel-matched-5.14.0-427.28.1.el9_4.aarch64.rpm |
References
- https://access.redhat.com/errata/RHSA-2024:4928
- https://www.suse.com/security/cve/CVE-2024-26737.html
- https://errata.rockylinux.org/RXSA-2024:4928
- https://errata.rockylinux.org/RLSA-2024:4928
- https://security-tracker.debian.org/tracker/CVE-2024-26737
- https://bugzilla.redhat.com/2265794
- https://bugzilla.redhat.com/2273236
- https://bugzilla.redhat.com/2273274
- https://bugzilla.redhat.com/2275690
- https://bugzilla.redhat.com/2275761
- https://bugzilla.redhat.com/2278337
- https://bugzilla.redhat.com/2278435
- https://bugzilla.redhat.com/2278473
- https://bugzilla.redhat.com/2281247
- https://bugzilla.redhat.com/2281647
- https://bugzilla.redhat.com/2281700
- https://bugzilla.redhat.com/2282669
- https://bugzilla.redhat.com/2282898
- https://bugzilla.redhat.com/2284506
- https://bugzilla.redhat.com/2284598
- https://bugzilla.redhat.com/2293316
- https://bugzilla.redhat.com/2293412
- https://errata.almalinux.org/9/ALSA-2024-4928.html
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.