CVE-2024-58088
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-58088
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-58088.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-58088
- Downstream
- Related
- Published
- 2025-03-12T10:15:16Z
- Modified
- 2025-03-13T16:21:33Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix deadlock when freeing cgroup storage
The following commit bc235cdb423a ("bpf: Prevent deadlock from recursive bpftaskstorage[get|delete]") first introduced deadlock prevention for fentry/fexit programs attaching on bpftask_storage helpers. That commit also employed the logic in map free path in its v6 version.
Later bpfcgrpstorage was first introduced in c4bcfb38a95e ("bpf: Implement cgroup storage available to non-cgroup-attached bpf progs") which faces the same issue as bpftaskstorage, instead of its busy counter, NULL was passed to bpflocalstoragemapfree() which opened a window to cause deadlock:
<TASK> (acquiring local_storage->lock) _raw_spin_lock_irqsave+0x3d/0x50 bpf_local_storage_update+0xd1/0x460 bpf_cgrp_storage_get+0x109/0x130 bpf_prog_a4d4a370ba857314_cgrp_ptr+0x139/0x170 ? __bpf_prog_enter_recur+0x16/0x80 bpf_trampoline_6442485186+0x43/0xa4 cgroup_storage_ptr+0x9/0x20 (holding local_storage->lock) bpf_selem_unlink_storage_nolock.constprop.0+0x135/0x160 bpf_selem_unlink_storage+0x6f/0x110 bpf_local_storage_map_free+0xa2/0x110 bpf_map_free_deferred+0x5b/0x90 process_one_work+0x17c/0x390 worker_thread+0x251/0x360 kthread+0xd2/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30 </TASK>Progs: - A: SEC("fentry/cgroupstorageptr") - cgid (BPFMAPTYPEHASH) Record the id of the cgroup the current task belonging to in this hash map, using the address of the cgroup as the map key. - cgrpa (BPFMAPTYPECGRPSTORAGE) If current task is a kworker, lookup the above hash map using function parameter @owner as the key to get its corresponding cgroup id which is then used to get a trusted pointer to the cgroup through bpfcgroupfromid(). This trusted pointer can then be passed to bpfcgrpstorageget() to finally trigger the deadlock issue. - B: SEC("tpbtf/sysenter") - cgrpb (BPFMAPTYPECGRPSTORAGE) The only purpose of this prog is to fill Prog A's hash map by calling bpfcgrpstorageget() for as many userspace tasks as possible.
Steps to reproduce: - Run A; - while (true) { Run B; Destroy B; }
Fix this issue by passing its busy counter to the free procedure so it can be properly incremented before storage/smap locking.
- References
-
- https://git.kernel.org/stable/c/6ecb9fa14eec5f15d97c84c36896871335f6ddfb
- https://git.kernel.org/stable/c/c78f4afbd962f43a3989f45f3ca04300252b19b5
- https://git.kernel.org/stable/c/fac674d2bd68f3479f27328626b42d1eebd11fef
- https://git.kernel.org/stable/c/fcec95b4ab3e7bc6b2f36e5d59f7e24104ea87f7
- https://security-tracker.debian.org/tracker/CVE-2024-58088
Affected packages
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source