ACK: [SRU][J][PATCH 0/2] CVE-2023-52447

Tim Gardner tim.gardner at canonical.com
Mon Apr 22 13:39:45 UTC 2024 

On 4/15/24 2:59 PM, Bethany Jamison wrote:
> [Impact]
> 
>   In the Linux kernel, the following vulnerability has been resolved: bpf:
>   Defer the free of inner map when necessary
> 
>   When updating or deleting an inner map in map array or map htab, the map
>   may still be accessed by non-sleepable program or sleepable program.
>   However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map
>   directly through bpf_map_put(), if the ref-counter is the last one (which
>   is true for most cases), the inner map will be freed by ops->map_free() in
>   a kworker. But for now, most .map_free() callbacks don't use
>   synchronize_rcu() or its variants to wait for the elapse of a RCU grace
>   period, so after the invocation of ops->map_free completes, the bpf program
>   which is accessing the inner map may incur use-after-free problem.
> 
>   Fix the free of inner map by invoking bpf_map_free_deferred() after both
>   one RCU grace period and one tasks trace RCU grace period if the inner map
>   has been removed from the outer map before. The deferment is accomplished
>   by using call_rcu() or call_rcu_tasks_trace() when releasing the last
>   ref-counter of bpf map. The newly-added rcu_head field in bpf_map shares
>   the same storage space with work field to reduce the size of bpf_map.
> 
> [Fix]
> 
> Mantic: pending
> Jammy:  Prereq commit and fix commit (linux-5.15.y) cherry-picked cleanly.
> Focal:  not-affected
> Bionic: not-affected
> Xenial: not-affected
> Trusty: not-affected
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use the Berkeley Packet Filter (bpf), an issue
> with this fix would be visable with unpredicted system behavior or even
> a system crash.
> 
> Hou Tao (1):
>    bpf: Defer the free of inner map when necessary
> 
> Paul E. McKenney (1):
>    rcu-tasks: Provide rcu_trace_implies_rcu_gp()
> 
>   include/linux/bpf.h      |  7 ++++++-
>   include/linux/rcupdate.h | 12 ++++++++++++
>   kernel/bpf/map_in_map.c  | 11 ++++++++---
>   kernel/bpf/syscall.c     | 26 ++++++++++++++++++++++++--
>   kernel/rcu/tasks.h       |  2 ++
>   5 files changed, 52 insertions(+), 6 deletions(-)
> 
Acked-by: Tim Gardner <tim.gardner at canonical.com>
-- 
-----------
Tim Gardner
Canonical, Inc

More information about the kernel-team mailing list