Vulnerability Details : CVE-2024-26737
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel
The following race is possible between bpf_timer_cancel_and_free
and bpf_timer_cancel. It will lead a UAF on the timer->timer.
bpf_timer_cancel();
spin_lock();
t = timer->time;
spin_unlock();
bpf_timer_cancel_and_free();
spin_lock();
t = timer->timer;
timer->timer = NULL;
spin_unlock();
hrtimer_cancel(&t->timer);
kfree(t);
/* UAF on t */
hrtimer_cancel(&t->timer);
In bpf_timer_cancel_and_free, this patch frees the timer->timer
after a rcu grace period. This requires a rcu_head addition
to the "struct bpf_hrtimer". Another kfree(t) happens in bpf_timer_init,
this does not need a kfree_rcu because it is still under the
spin_lock and timer->timer has not been visible by others yet.
In bpf_timer_cancel, rcu_read_lock() is added because this helper
can be used in a non rcu critical section context (e.g. from
a sleepable bpf prog). Other timer->timer usages in helpers.c
have been audited, bpf_timer_cancel() is the only place where
timer->timer is used outside of the spin_lock.
Another solution considered is to mark a t->flag in bpf_timer_cancel
and clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free,
it busy waits for the flag to be cleared before kfree(t). This patch
goes with a straight forward solution and frees timer->timer after
a rcu grace period.
Products affected by CVE-2024-26737
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2024-26737
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 15 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2024-26737
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
1.8
|
3.6
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2024-11-04 |
CWE ids for CVE-2024-26737
-
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2024-26737
-
https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5
bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel - kernel/git/stable/linux.git - Linux kernel stable treePatch
-
https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f
bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel - kernel/git/stable/linux.git - Linux kernel stable treePatch
-
https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33
bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel - kernel/git/stable/linux.git - Linux kernel stable treePatch
-
https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c
bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel - kernel/git/stable/linux.git - Linux kernel stable treePatch
-
https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6
bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel - kernel/git/stable/linux.git - Linux kernel stable treePatch
Jump to