We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-26737

bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel



Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel The following race is possible between bpf_timer_cancel_and_free and bpf_timer_cancel. It will lead a UAF on the timer->timer. bpf_timer_cancel(); spin_lock(); t = timer->time; spin_unlock(); bpf_timer_cancel_and_free(); spin_lock(); t = timer->timer; timer->timer = NULL; spin_unlock(); hrtimer_cancel(&t->timer); kfree(t); /* UAF on t */ hrtimer_cancel(&t->timer); In bpf_timer_cancel_and_free, this patch frees the timer->timer after a rcu grace period. This requires a rcu_head addition to the "struct bpf_hrtimer". Another kfree(t) happens in bpf_timer_init, this does not need a kfree_rcu because it is still under the spin_lock and timer->timer has not been visible by others yet. In bpf_timer_cancel, rcu_read_lock() is added because this helper can be used in a non rcu critical section context (e.g. from a sleepable bpf prog). Other timer->timer usages in helpers.c have been audited, bpf_timer_cancel() is the only place where timer->timer is used outside of the spin_lock. Another solution considered is to mark a t->flag in bpf_timer_cancel and clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free, it busy waits for the flag to be cleared before kfree(t). This patch goes with a straight forward solution and frees timer->timer after a rcu grace period.

Reserved 2024-02-19 | Published 2024-04-03 | Updated 2025-05-04 | Assigner Linux

Product status

Default status
unaffected

b00628b1c7d595ae5b544e059c27b1f5828314b4 before 5268bb02107b9eedfdcd51db75b407d10043368c
affected

b00628b1c7d595ae5b544e059c27b1f5828314b4 before addf5e297e6cbf5341f9c07720693ca9ba0057b5
affected

b00628b1c7d595ae5b544e059c27b1f5828314b4 before 8327ed12e8ebc5436bfaa1786c49988894f9c8a6
affected

b00628b1c7d595ae5b544e059c27b1f5828314b4 before 7d80a9e745fa5b47da3bca001f186c02485c7c33
affected

b00628b1c7d595ae5b544e059c27b1f5828314b4 before 0281b919e175bb9c3128bd3872ac2903e9436e3f
affected

Default status
affected

5.15
affected

Any version before 5.15
unaffected

5.15.150
unaffected

6.1.80
unaffected

6.6.19
unaffected

6.7.7
unaffected

6.8
unaffected

References

git.kernel.org/...c/5268bb02107b9eedfdcd51db75b407d10043368c

git.kernel.org/...c/addf5e297e6cbf5341f9c07720693ca9ba0057b5

git.kernel.org/...c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6

git.kernel.org/...c/7d80a9e745fa5b47da3bca001f186c02485c7c33

git.kernel.org/...c/0281b919e175bb9c3128bd3872ac2903e9436e3f

cve.org (CVE-2024-26737)

nvd.nist.gov (CVE-2024-26737)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2024-26737

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.