ghsa-44x6-67xw-4m95
Vulnerability from github
Published
2025-03-06 18:31
Modified
2025-03-25 15:31
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT

In PREEMPT_RT, kmalloc(GFP_ATOMIC) is still not safe in non preemptible context. bpf_mem_alloc must be used in PREEMPT_RT. This patch is to enforce bpf_mem_alloc in the bpf_local_storage when CONFIG_PREEMPT_RT is enabled.

[ 35.118559] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 [ 35.118566] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1832, name: test_progs [ 35.118569] preempt_count: 1, expected: 0 [ 35.118571] RCU nest depth: 1, expected: 1 [ 35.118577] INFO: lockdep is turned off. ... [ 35.118647] __might_resched+0x433/0x5b0 [ 35.118677] rt_spin_lock+0xc3/0x290 [ 35.118700] slaballoc+0x72/0xc40 [ 35.118723] kmalloc_noprof+0x13f/0x4e0 [ 35.118732] bpf_map_kzalloc+0xe5/0x220 [ 35.118740] bpf_selem_alloc+0x1d2/0x7b0 [ 35.118755] bpf_local_storage_update+0x2fa/0x8b0 [ 35.118784] bpf_sk_storage_get_tracing+0x15a/0x1d0 [ 35.118791] bpf_prog_9a118d86fca78ebb_trace_inet_sock_set_state+0x44/0x66 [ 35.118795] bpf_trace_run3+0x222/0x400 [ 35.118820] __bpf_trace_inet_sock_set_state+0x11/0x20 [ 35.118824] trace_inet_sock_set_state+0x112/0x130 [ 35.118830] inet_sk_state_store+0x41/0x90 [ 35.118836] tcp_set_state+0x3b3/0x640

There is no need to adjust the gfp_flags passing to the bpf_mem_cache_alloc_flags() which only honors the GFP_KERNEL. The verifier has ensured GFP_KERNEL is passed only in sleepable context.

It has been an old issue since the first introduction of the bpf_local_storage ~5 years ago, so this patch targets the bpf-next.

bpf_mem_alloc is needed to solve it, so the Fixes tag is set to the commit when bpf_mem_alloc was first used in the bpf_local_storage.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-58070"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-06T16:15:53Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT\n\nIn PREEMPT_RT, kmalloc(GFP_ATOMIC) is still not safe in non preemptible\ncontext. bpf_mem_alloc must be used in PREEMPT_RT. This patch is\nto enforce bpf_mem_alloc in the bpf_local_storage when CONFIG_PREEMPT_RT\nis enabled.\n\n[   35.118559] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\n[   35.118566] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1832, name: test_progs\n[   35.118569] preempt_count: 1, expected: 0\n[   35.118571] RCU nest depth: 1, expected: 1\n[   35.118577] INFO: lockdep is turned off.\n    ...\n[   35.118647]  __might_resched+0x433/0x5b0\n[   35.118677]  rt_spin_lock+0xc3/0x290\n[   35.118700]  ___slab_alloc+0x72/0xc40\n[   35.118723]  __kmalloc_noprof+0x13f/0x4e0\n[   35.118732]  bpf_map_kzalloc+0xe5/0x220\n[   35.118740]  bpf_selem_alloc+0x1d2/0x7b0\n[   35.118755]  bpf_local_storage_update+0x2fa/0x8b0\n[   35.118784]  bpf_sk_storage_get_tracing+0x15a/0x1d0\n[   35.118791]  bpf_prog_9a118d86fca78ebb_trace_inet_sock_set_state+0x44/0x66\n[   35.118795]  bpf_trace_run3+0x222/0x400\n[   35.118820]  __bpf_trace_inet_sock_set_state+0x11/0x20\n[   35.118824]  trace_inet_sock_set_state+0x112/0x130\n[   35.118830]  inet_sk_state_store+0x41/0x90\n[   35.118836]  tcp_set_state+0x3b3/0x640\n\nThere is no need to adjust the gfp_flags passing to the\nbpf_mem_cache_alloc_flags() which only honors the GFP_KERNEL.\nThe verifier has ensured GFP_KERNEL is passed only in sleepable context.\n\nIt has been an old issue since the first introduction of the\nbpf_local_storage ~5 years ago, so this patch targets the bpf-next.\n\nbpf_mem_alloc is needed to solve it, so the Fixes tag is set\nto the commit when bpf_mem_alloc was first used in the bpf_local_storage.",
  "id": "GHSA-44x6-67xw-4m95",
  "modified": "2025-03-25T15:31:22Z",
  "published": "2025-03-06T18:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58070"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3392fa605d7c5708c5fbe02e4fbdac547c3b7352"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8eef6ac4d70eb1f0099fff93321d90ce8fa49ee1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b0027500000dfcb8ee952557d565064cea22c43e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c1d398a3af7e59d7fef351c84fed7ebb575d1f1a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.