CVE-2024-43887

The lifetime of TCP-AO statickey is the same as the last tcpaoinfo. On the socket destruction tcpaoinfo ceases to be with RCU grace period, while tcp-ao static branch is currently deferred destructed. The static key definition is : DEFINESTATICKEYDEFERREDFALSE(tcpao_needed, HZ);

which means that if RCU grace period is delayed by more than a second and tcpaoneeded is in the process of disablement, other CPUs may yet see tcpaoinfo which atent dead, but soon-to-be. And that breaks the assumption of statickeyfastincnot_disabled().

See the comment near the definition:

The caller must make sure that the static key can't get disabled while

in this function. It doesn't patch jump labels, only adds a user to

an already enabled static key.

Originally it was introduced in commit eb8c507296f6 ("jumplabel: Prevent key->enabled int overflow"), which is needed for the atomic contexts, one of which would be the creation of a full socket from a request socket. In that atomic context, it's known by the presence of the key (md5/ao) that the static branch is already enabled. So, the ref counter for that static branch is just incremented instead of holding the proper mutex. statickeyfastincnotdisabled() is just a helper for such usage case. But it must not be used if the static branch could get disabled in parallel as it's not protected by jumplabelmutex and as a result, races with jumplabelupdate() implementation details.

Happened on netdev test-bot[1], so not a theoretical issue:

[] jumplabel: Fatal kernel bug, unexpected op at tcpinboundhash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1 [] ------------[ cut here ]------------ [] kernel BUG at arch/x86/kernel/jumplabel.c:73! [] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI [] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1 [] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [] Workqueue: events jumplabelupdatetimeout [] RIP: 0010:jumplabelpatch+0x2f6/0x350 ... [] Call Trace: [] <TASK> [] archjumplabeltransformqueue+0x6c/0x110 [] _jumplabelupdate+0xef/0x350 [] _statickeyslowdeccpuslocked.part.0+0x3c/0x60 [] jumplabelupdatetimeout+0x2c/0x40 [] processonework+0xe3b/0x1670 [] workerthread+0x587/0xce0 [] kthread+0x28a/0x350 [] retfromfork+0x31/0x70 [] retfromforkasm+0x1a/0x30 [] </TASK> [] Modules linked in: veth [] ---[ end trace 0000000000000000 ]--- [] RIP: 0010:jumplabelpatch+0x2f6/0x350

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43

Fixed

954d55a59b2501f4a9bd693b40ce45a1c46cb2b3

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43

Fixed

14ab4792ee120c022f276a7e4768f4dcb08f0cdd

Affected versions

v6.*

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.10.1

v6.10.2

v6.10.3

v6.10.4

v6.11-rc1

v6.6

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Database specific

vanir_signatures

[
    {
        "id": "CVE-2024-43887-33c02bf1",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "314594011653261632752356906169052279631",
                "114908523173234764798632416780472979524",
                "332865117410169834560602729626445730803",
                "130755006505534908948378155106236672381",
                "205772176917577369371484405623667590426",
                "329879893503405655083684459964154208774",
                "221297688019568528441767437708674856903",
                "60340116986712427602197161697197222877",
                "271177541636678225037254386057750909444",
                "8520104705753231170763522281459331706",
                "25628056869760676692445719865574898475",
                "134088648756760499068618378938955225516",
                "169546209297767197475762991874483976954",
                "160840489115060718105954257168291799233",
                "336304397243234041499883368789678550234",
                "191651786830040820272534980629127452698",
                "208304909760886684564490129977571102071",
                "129703860433581247965773504554000092496",
                "339106543375058156544783766487971468066",
                "144384075251327845099491200983351050577",
                "231889012632341761535732669779707309634",
                "200039774660259380275537474485035998648",
                "163364813737470530657860262180216712234",
                "329466660245249632928229765910072138790",
                "271645718087177537111858991200075537537"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@954d55a59b2501f4a9bd693b40ce45a1c46cb2b3",
        "target": {
            "file": "net/ipv4/tcp_ao.c"
        }
    },
    {
        "id": "CVE-2024-43887-6e4e1b6f",
        "signature_version": "v1",
        "digest": {
            "function_hash": "232254532568382682097113039568262028332",
            "length": 638.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@954d55a59b2501f4a9bd693b40ce45a1c46cb2b3",
        "target": {
            "file": "net/ipv4/tcp_ao.c",
            "function": "tcp_ao_destroy_sock"
        }
    }
]

CVE-2024-43887

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Affected versions

v6.*

Database specific

vanir_signatures

Linux / Kernel

Package

Affected ranges