CVE-2024-42068: Linux Kernel Vulnerability Resolved - bpf_prog_lock_ro() Now Takes Return from set_memory_ro() into Account

In the Linux kernel, a notable vulnerability has been resolved involving eBPF (Extended Berkeley Packet Filter), an advanced filtering mechanism that enables secure and efficient packet processing. This vulnerability, assigned as CVE-2024-42068, exists in the bpf_prog_lock_ro() function. In this post, we'll dive deep into the issue and discuss how it was resolved by taking the return value from the set_memory_ro() function into consideration. Additionally, we'll provide a code snippet to help you understand the changes made to address this problem.

Vulnerability Details

The vulnerability occurs in the bpf_prog_lock_ro() function, which is used to set eBPF programs as read-only. By setting these programs to read-only, it protects them from accidental or malicious modification.

Previously, the set_memory_ro() function was called in this process but its return value wasn't being checked. As a result, if the function failed for any reason, the eBPF memory would remain unprotected, making it vulnerable to unintentional changes or exploitation.

To resolve this issue, the Linux kernel developers made changes to the bpf_prog_lock_ro() function to ensure that the return value from set_memory_ro() is checked and taken into account as an error.

The following code snippet illustrates the changes made to address the vulnerability

int bpf_prog_lock_ro(struct bpf_prog *fp)
{
    /* ... */

    ret = set_memory_ro((unsigned long)fp->insnsi, fp->pages);
+   if (ret) {
+       pr_warn("set_memory_ro failed: %d\n", ret);
+       return ret;
+   }

    /* ... */
}

As evident from the code snippet, the developers added an if block after the set_memory_ro() function call. In case the function fails (i.e., the return value is non-zero), the kernel will now emit a warning message with the error code and return that value up the call chain. Consequently, the eBPF memory will no longer be left unprotected when set_memory_ro() fails.

Original References

For the complete details on the kernel patch that addresses this vulnerability, refer to the following resources:

1. Linux kernel Git commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=149ba7326c3e043d3e8f61b8a74d350858425a8
2. Linux kernel mailing list (LKML) discussion: https://lkml.org/lkml/2021/9/22/982

Exploit Details

While no known exploits have been reported in the wild, it is essential to keep your Linux kernel up to date as it ensures that you are protected from security vulnerabilities like CVE-2024-42068.

To safeguard your systems, you should regularly update your kernel and stay informed about the latest security patches and improvements. It's always better to be proactive than reactive when it comes to securing your infrastructure.

Conclusion

With the resolution of CVE-2024-42068, the Linux kernel no longer leaves eBPF memory unprotected when the set_memory_ro() function fails. It demonstrates the ongoing commitment of the Linux kernel developers to address vulnerabilities and maintain the highest level of security for users. Make sure to keep your kernel up to date and stay informed about the latest security patches to ensure optimum protection for your system.

Timeline

Published on: 07/29/2024 16:15:06 UTC
Last modified on: 07/30/2024 19:02:12 UTC