CVE-2024-41045

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-41045
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-41045.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-41045
Downstream
Related
Published
2024-07-29T14:32:02Z
Modified
2025-10-15T12:30:33.932521Z
Summary
bpf: Defer work in bpf_timer_cancel_and_free
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Defer work in bpftimercancelandfree

Currently, the same case as previous patch (two timer callbacks trying to cancel each other) can be invoked through bpfmapupdateelem as well, or more precisely, freeing map elements containing timers. Since this relies on hrtimercancel as well, it is prone to the same deadlock situation as the previous patch.

It would be sufficient to use hrtimertrytocancel to fix this problem, as the timer cannot be enqueued after asynccancelandfree. Once asynccancelandfree has been done, the timer must be reinitialized before it can be armed again. The callback running in parallel trying to arm the timer will fail, and freeing bpfhrtimer without waiting is sufficient (given kfreercu), and bpftimercb will return HRTIMERNORESTART, preventing the timer from being rearmed again.

However, there exists a UAF scenario where the callback arms the timer before entering this function, such that if cancellation fails (due to timer callback invoking this routine, or the target timer callback running concurrently). In such a case, if the timer expiration is significantly far in the future, the RCU grace period expiration happening before it will free the bpf_hrtimer state and along with it the struct hrtimer, that is enqueued.

Hence, it is clear cancellation needs to occur after asynccancelandfree, and yet it cannot be done inline due to deadlock issues. We thus modify bpftimercancelandfree to defer work to the global workqueue, adding a workstruct alongside rcuhead (both used at _different points of time, so can share space).

Update existing code comments to reflect the new state of affairs.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b00628b1c7d595ae5b544e059c27b1f5828314b4
Fixed
7aa5a19279c3639ae8b758b63f05d0c616a39fa1
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b00628b1c7d595ae5b544e059c27b1f5828314b4
Fixed
a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69

Affected versions

v5.*

v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
v6.9.1
v6.9.2
v6.9.3
v6.9.4
v6.9.5
v6.9.6
v6.9.7
v6.9.8
v6.9.9

Database specific 

{
    "vanir_signatures": [
        {
            "signature_version": "v1",
            "signature_type": "Function",
            "target": {
                "file": "kernel/bpf/helpers.c",
                "function": "__bpf_async_init"
            },
            "id": "CVE-2024-41045-1c8a8c38",
            "digest": {
                "length": 1143.0,
                "function_hash": "17662491385183501572762014269004158450"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7aa5a19279c3639ae8b758b63f05d0c616a39fa1"
        },
        {
            "signature_version": "v1",
            "signature_type": "Line",
            "target": {
                "file": "kernel/bpf/helpers.c"
            },
            "id": "CVE-2024-41045-58ce5ef2",
            "digest": {
                "line_hashes": [
                    "167617959869780148063027738023233466092",
                    "187183189766995426847357745504755197997",
                    "307886355013889671190697701299807631551",
                    "252785125288770908896571316173536172638",
                    "79336806235732150856303059620957462902",
                    "20361608993255053749670641265556727001",
                    "171906274045416343120244284944045027586",
                    "151317430427829740272075290451112595026",
                    "37194434468112342840284030629907537190",
                    "221500438604956185025446875880196240028",
                    "263116199517780130348643206865056370716",
                    "140827073577121312226489607764363763086",
                    "93665256957403597650336465558868325852",
                    "96055854063753201022486459249362860196",
                    "147894533609443292223443214232782649401",
                    "332130087590500462869083173520172262808",
                    "271705112956884740698996070059018652372"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7aa5a19279c3639ae8b758b63f05d0c616a39fa1"
        },
        {
            "signature_version": "v1",
            "signature_type": "Function",
            "target": {
                "file": "kernel/bpf/helpers.c",
                "function": "bpf_timer_cancel_and_free"
            },
            "id": "CVE-2024-41045-5d0097ee",
            "digest": {
                "length": 214.0,
                "function_hash": "187951960127385819355079193799388419961"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69"
        },
        {
            "signature_version": "v1",
            "signature_type": "Function",
            "target": {
                "file": "kernel/bpf/helpers.c",
                "function": "bpf_timer_cancel_and_free"
            },
            "id": "CVE-2024-41045-8f493274",
            "digest": {
                "length": 404.0,
                "function_hash": "200093871015599225285051662867790822120"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7aa5a19279c3639ae8b758b63f05d0c616a39fa1"
        },
        {
            "signature_version": "v1",
            "signature_type": "Function",
            "target": {
                "file": "kernel/bpf/helpers.c",
                "function": "__bpf_async_init"
            },
            "id": "CVE-2024-41045-9264a5fa",
            "digest": {
                "length": 1451.0,
                "function_hash": "267672331908477225422508617320500118601"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69"
        },
        {
            "signature_version": "v1",
            "signature_type": "Line",
            "target": {
                "file": "kernel/bpf/helpers.c"
            },
            "id": "CVE-2024-41045-b5e3edaf",
            "digest": {
                "line_hashes": [
                    "167617959869780148063027738023233466092",
                    "187183189766995426847357745504755197997",
                    "307886355013889671190697701299807631551",
                    "252785125288770908896571316173536172638",
                    "235125641780888980309200455044360145274",
                    "186530797369576521780191822974525063570",
                    "171906274045416343120244284944045027586",
                    "237545209446228977431139275248664615216",
                    "37194434468112342840284030629907537190",
                    "221500438604956185025446875880196240028",
                    "263116199517780130348643206865056370716",
                    "27552023794877948096611274726020878258",
                    "93665256957403597650336465558868325852",
                    "96055854063753201022486459249362860196",
                    "147894533609443292223443214232782649401",
                    "6938651765972911291272703573346798163",
                    "296325869828793157680340534155263190038"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.15.0
Fixed
6.9.10