A recent vulnerability has been discovered and resolved in the Linux kernel that involves using raw_spinlock_t in the ring buffer. This post will provide details about the vulnerability and provide code snippets, links to original references, and exploit details. The main objective is to improve the overall security and stability of the Linux kernel for users.
Description
The vulnerability involves a function called __bpf_ringbuf_reserve that is invoked from a tracepoint, which disables preemption. Using spinlock_t in this context can lead to a "sleep in atomic" warning in the RT (Real-Time) variant of the Linux kernel. This issue is illustrated in the example below:
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
in_atomic(): 1, irqs_disabled(): , non_block: , pid: 556208, name: test_progs
preempt_count: 1, expected:
RCU nest depth: 1, expected: 1
INFO: lockdep is turned off.
Preemption disabled at:
[<ffffd33a5c88ea44>] migrate_enable+xc/x39c
CPU: 7 PID: 556208 Comm: test_progs Tainted: G
Hardware name: Qualcomm SA8775P Ride (DT)
Call trace:
dump_backtrace+xac/x130
show_stack+x1c/x30
dump_stack_lvl+xac/xe8
dump_stack+x18/x30
__might_resched+x3bc/x4fc
rt_spin_lock+x8c/x1a4
__bpf_ringbuf_reserve+xc4/x254
bpf_ringbuf_reserve_dynptr+x5c/xdc
bpf_prog_ac3d15160d62622a_test_read_write+x104/x238
trace_call_bpf+x238/x774
perf_call_bpf_enter.isra.+x104/x194
perf_syscall_enter+x2f8/x510
trace_sys_enter+x39c/x564
syscall_trace_enter+x220/x3c
do_el_svc+x138/x1dc
el_svc+x54/x130
elt_64_sync_handler+x134/x150
elt_64_sync+x17c/x180
To resolve this issue, the developers switched the spinlock to raw_spinlock_t, improving the stability of the Linux kernel.
Here's a sample code snippet to demonstrate the fix
#include <linux/spinlock.h>
static raw_spinlock_t r_spinlock;
static void ringbuf_lock(void)
{
raw_spin_lock(&r_spin_lock);
}
static void ringbuf_unlock(void)
{
raw_spin_unlock(&r_spin_lock);
}
References
Original references that provide more information about this vulnerability and its fix can be found in the following links:
1. Linux kernel mailing list discussion about the issue: Link
2. Patch to resolve the issue in the Linux kernel source code: Link
Exploit Details
Exploiting this vulnerability could potentially lead to a variety of issues, including kernel panics or crashes, performance degradation, or data corruption. Since the bug is related to the ring buffer in the BPF (Berkeley Packet Filter) subsystem, any application that uses BPF tracepoints in a specific way could trigger the issue.
Conclusion
The identified vulnerability in the Linux kernel, which relates to raw_spinlock_t in ringbuf, has been resolved by the developers. The fix improves the overall security and stability of the Linux kernel, thus providing a more secure and stable experience for users. Users are encouraged to apply patches and updates as soon as they become available to mitigate any potential security risks.
Timeline
Published on: 11/05/2024 18:15:16 UTC
Last modified on: 11/08/2024 14:27:41 UTC