CVE-2024-58088
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-58088
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-58088.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-58088
- Downstream
- Related
- Published
- 2025-03-12T09:41:58.986Z
- Modified
- 2025-11-20T08:11:25.344663Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- bpf: Fix deadlock when freeing cgroup storage
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix deadlock when freeing cgroup storage
The following commit bc235cdb423a ("bpf: Prevent deadlock from recursive bpftaskstorage[get|delete]") first introduced deadlock prevention for fentry/fexit programs attaching on bpftask_storage helpers. That commit also employed the logic in map free path in its v6 version.
Later bpfcgrpstorage was first introduced in c4bcfb38a95e ("bpf: Implement cgroup storage available to non-cgroup-attached bpf progs") which faces the same issue as bpftaskstorage, instead of its busy counter, NULL was passed to bpflocalstoragemapfree() which opened a window to cause deadlock:
<TASK> (acquiring local_storage->lock) _raw_spin_lock_irqsave+0x3d/0x50 bpf_local_storage_update+0xd1/0x460 bpf_cgrp_storage_get+0x109/0x130 bpf_prog_a4d4a370ba857314_cgrp_ptr+0x139/0x170 ? __bpf_prog_enter_recur+0x16/0x80 bpf_trampoline_6442485186+0x43/0xa4 cgroup_storage_ptr+0x9/0x20 (holding local_storage->lock) bpf_selem_unlink_storage_nolock.constprop.0+0x135/0x160 bpf_selem_unlink_storage+0x6f/0x110 bpf_local_storage_map_free+0xa2/0x110 bpf_map_free_deferred+0x5b/0x90 process_one_work+0x17c/0x390 worker_thread+0x251/0x360 kthread+0xd2/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30 </TASK>Progs: - A: SEC("fentry/cgroupstorageptr") - cgid (BPFMAPTYPEHASH) Record the id of the cgroup the current task belonging to in this hash map, using the address of the cgroup as the map key. - cgrpa (BPFMAPTYPECGRPSTORAGE) If current task is a kworker, lookup the above hash map using function parameter @owner as the key to get its corresponding cgroup id which is then used to get a trusted pointer to the cgroup through bpfcgroupfromid(). This trusted pointer can then be passed to bpfcgrpstorageget() to finally trigger the deadlock issue. - B: SEC("tpbtf/sysenter") - cgrpb (BPFMAPTYPECGRPSTORAGE) The only purpose of this prog is to fill Prog A's hash map by calling bpfcgrpstorageget() for as many userspace tasks as possible.
Steps to reproduce: - Run A; - while (true) { Run B; Destroy B; }
Fix this issue by passing its busy counter to the free procedure so it can be properly incremented before storage/smap locking.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/6ecb9fa14eec5f15d97c84c36896871335f6ddfb
- https://git.kernel.org/stable/c/c78f4afbd962f43a3989f45f3ca04300252b19b5
- https://git.kernel.org/stable/c/fac674d2bd68f3479f27328626b42d1eebd11fef
- https://git.kernel.org/stable/c/fcec95b4ab3e7bc6b2f36e5d59f7e24104ea87f7
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc4bcfb38a95edb1021a53f2d0356a78120ecfbe4Fixed6ecb9fa14eec5f15d97c84c36896871335f6ddfb
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc4bcfb38a95edb1021a53f2d0356a78120ecfbe4Fixedfac674d2bd68f3479f27328626b42d1eebd11fef
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc4bcfb38a95edb1021a53f2d0356a78120ecfbe4Fixedfcec95b4ab3e7bc6b2f36e5d59f7e24104ea87f7
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc4bcfb38a95edb1021a53f2d0356a78120ecfbe4Fixedc78f4afbd962f43a3989f45f3ca04300252b19b5
Affected versions
v6.*
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.2
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.13.1
v6.13.2
v6.13.3
v6.13.4
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.6
v6.6.60
v6.6.61
v6.6.62
v6.6.63
v6.6.64
v6.6.65
v6.6.66
v6.6.67
v6.6.68
v6.6.69
v6.6.7
v6.6.70
v6.6.71
v6.6.72
v6.6.73
v6.6.74
v6.6.75
v6.6.76
v6.6.77
v6.6.78
v6.6.79
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"signature_type": "Line",
"deprecated": false,
"digest": {
"line_hashes": [
"17193556190908431913529791972977719113",
"315641437893388999983515420656013795624",
"236255543996998476786873096955768203230",
"327439182352644661616560974211764256485"
],
"threshold": 0.9
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c78f4afbd962f43a3989f45f3ca04300252b19b5",
"target": {
"file": "kernel/bpf/bpf_cgrp_storage.c"
},
"id": "CVE-2024-58088-2245c973"
},
{
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 88.0,
"function_hash": "278266163135924162502407117275417994327"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6ecb9fa14eec5f15d97c84c36896871335f6ddfb",
"target": {
"file": "kernel/bpf/bpf_cgrp_storage.c",
"function": "cgroup_storage_map_free"
},
"id": "CVE-2024-58088-27c51e96"
},
{
"signature_type": "Line",
"deprecated": false,
"digest": {
"line_hashes": [
"17193556190908431913529791972977719113",
"315641437893388999983515420656013795624",
"236255543996998476786873096955768203230",
"327439182352644661616560974211764256485"
],
"threshold": 0.9
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6ecb9fa14eec5f15d97c84c36896871335f6ddfb",
"target": {
"file": "kernel/bpf/bpf_cgrp_storage.c"
},
"id": "CVE-2024-58088-6d0ff18f"
},
{
"signature_type": "Line",
"deprecated": false,
"digest": {
"line_hashes": [
"17193556190908431913529791972977719113",
"315641437893388999983515420656013795624",
"236255543996998476786873096955768203230",
"327439182352644661616560974211764256485"
],
"threshold": 0.9
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fac674d2bd68f3479f27328626b42d1eebd11fef",
"target": {
"file": "kernel/bpf/bpf_cgrp_storage.c"
},
"id": "CVE-2024-58088-833dafc8"
},
{
"signature_type": "Line",
"deprecated": false,
"digest": {
"line_hashes": [
"17193556190908431913529791972977719113",
"315641437893388999983515420656013795624",
"236255543996998476786873096955768203230",
"327439182352644661616560974211764256485"
],
"threshold": 0.9
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fcec95b4ab3e7bc6b2f36e5d59f7e24104ea87f7",
"target": {
"file": "kernel/bpf/bpf_cgrp_storage.c"
},
"id": "CVE-2024-58088-a471a5f7"
},
{
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 88.0,
"function_hash": "278266163135924162502407117275417994327"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c78f4afbd962f43a3989f45f3ca04300252b19b5",
"target": {
"file": "kernel/bpf/bpf_cgrp_storage.c",
"function": "cgroup_storage_map_free"
},
"id": "CVE-2024-58088-a98b6b1b"
},
{
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 88.0,
"function_hash": "278266163135924162502407117275417994327"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fac674d2bd68f3479f27328626b42d1eebd11fef",
"target": {
"file": "kernel/bpf/bpf_cgrp_storage.c",
"function": "cgroup_storage_map_free"
},
"id": "CVE-2024-58088-b22c2ed0"
},
{
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 88.0,
"function_hash": "278266163135924162502407117275417994327"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fcec95b4ab3e7bc6b2f36e5d59f7e24104ea87f7",
"target": {
"file": "kernel/bpf/bpf_cgrp_storage.c",
"function": "cgroup_storage_map_free"
},
"id": "CVE-2024-58088-bcb28fcc"
}
]