CVE CyberSecurity Database News

CVE-2024-50138: Resolving Linux Kernel Vulnerability - bpf: Use raw_spinlock_t in ringbuf

Poster -

A recent vulnerability has been discovered and resolved in the Linux kernel that involves using raw_spinlock_t in the ring buffer. This post will provide details about the vulnerability and provide code snippets, links to original references, and exploit details. The main objective is to improve the overall security and stability of the Linux kernel for users.

Description

The vulnerability involves a function called __bpf_ringbuf_reserve that is invoked from a tracepoint, which disables preemption. Using spinlock_t in this context can lead to a "sleep in atomic" warning in the RT (Real-Time) variant of the Linux kernel. This issue is illustrated in the example below:

BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
in_atomic(): 1, irqs_disabled(): , non_block: , pid: 556208, name: test_progs
preempt_count: 1, expected: 
RCU nest depth: 1, expected: 1
INFO: lockdep is turned off.
Preemption disabled at:
[<ffffd33a5c88ea44>] migrate_enable+xc/x39c
CPU: 7 PID: 556208 Comm: test_progs Tainted: G
Hardware name: Qualcomm SA8775P Ride (DT)
Call trace:
 dump_backtrace+xac/x130
 show_stack+x1c/x30
 dump_stack_lvl+xac/xe8
 dump_stack+x18/x30
 __might_resched+x3bc/x4fc
 rt_spin_lock+x8c/x1a4
 __bpf_ringbuf_reserve+xc4/x254
 bpf_ringbuf_reserve_dynptr+x5c/xdc
 bpf_prog_ac3d15160d62622a_test_read_write+x104/x238
 trace_call_bpf+x238/x774
 perf_call_bpf_enter.isra.+x104/x194
 perf_syscall_enter+x2f8/x510
 trace_sys_enter+x39c/x564
 syscall_trace_enter+x220/x3c
 do_el_svc+x138/x1dc
 el_svc+x54/x130
 elt_64_sync_handler+x134/x150
 elt_64_sync+x17c/x180

To resolve this issue, the developers switched the spinlock to raw_spinlock_t, improving the stability of the Linux kernel.

Here's a sample code snippet to demonstrate the fix

#include <linux/spinlock.h>

static raw_spinlock_t r_spinlock;

static void ringbuf_lock(void)
{
    raw_spin_lock(&r_spin_lock);
}

static void ringbuf_unlock(void)
{
    raw_spin_unlock(&r_spin_lock);
}

References

Original references that provide more information about this vulnerability and its fix can be found in the following links:

1. Linux kernel mailing list discussion about the issue: Link
2. Patch to resolve the issue in the Linux kernel source code: Link

Exploit Details

Exploiting this vulnerability could potentially lead to a variety of issues, including kernel panics or crashes, performance degradation, or data corruption. Since the bug is related to the ring buffer in the BPF (Berkeley Packet Filter) subsystem, any application that uses BPF tracepoints in a specific way could trigger the issue.

Conclusion

The identified vulnerability in the Linux kernel, which relates to raw_spinlock_t in ringbuf, has been resolved by the developers. The fix improves the overall security and stability of the Linux kernel, thus providing a more secure and stable experience for users. Users are encouraged to apply patches and updates as soon as they become available to mitigate any potential security risks.

Timeline

Published on: 11/05/2024 18:15:16 UTC
Last modified on: 11/08/2024 14:27:41 UTC