CVE-2024-58088 Information

Mar 13, 2025 cve

Description

In the Linux kernel the following vulnerability has been resolved:

bpf: Fix deadlock when freeing cgroup storage

The following commit bc235cdb423a (pf: Prevent deadlock from recursive bpf_task_storage_[get|delete]) first introduced deadlock prevention for fentry/fexit programs attaching on bpf_task_storage helpers. That commit also employed the logic in map free path in its v6 version.

Later bpf_cgrp_storage was first introduced in c4bcfb38a95e (pf: Implement cgroup storage available to non-cgroup-attached bpf progs) which faces the same issue as bpf_task_storage instead of its busy counter NULL was passed to bpf_local_storage_map_free() which opened a window to cause deadlock:

<TASK>
	(acquiring local_storage->lock)
_raw_spin_lock_irqsave+0x3d/0x50
bpf_local_storage_update+0xd1/0x460
bpf_cgrp_storage_get+0x109/0x130
bpf_prog_a4d4a370ba857314_cgrp_ptr+0x139/0x170
? __bpf_prog_enter_recur+0x16/0x80
bpf_trampoline_6442485186+0x43/0xa4
cgroup_storage_ptr+0x9/0x20
	(holding local_storage->lock)
bpf_selem_unlink_storage_nolock.constprop.0+0x135/0x160
bpf_selem_unlink_storage+0x6f/0x110
bpf_local_storage_map_free+0xa2/0x110
bpf_map_free_deferred+0x5b/0x90
process_one_work+0x17c/0x390
worker_thread+0x251/0x360
kthread+0xd2/0x100
ret_from_fork+0x34/0x50
ret_from_fork_asm+0x1a/0x30
</TASK>

Progs:

  • A: SEC( entry/cgroup_storage_ptr)
    • cgid (BPF_MAP_TYPE_HASH) Record the id of the cgroup the current task belonging to in this hash map using the address of the cgroup as the map key.
    • cgrpa (BPF_MAP_TYPE_CGRP_STORAGE) If current task is a kworker lookup the above hash map using function parameter @owner as the key to get its corresponding cgroup id which is then used to get a trusted pointer to the cgroup through bpf_cgroup_from_id(). This trusted pointer can then be passed to bpf_cgrp_storage_get() to finally trigger the deadlock issue.
  • B: SEC( p_btf/sys_enter)
    • cgrpb (BPF_MAP_TYPE_CGRP_STORAGE) The only purpose of this prog is to fill Prog A’s hash map by calling bpf_cgrp_storage_get() for as many userspace tasks as possible.

Steps to reproduce:

  • Run A;
  • while (true) Run B; Destroy B;

Fix this issue by passing its busy counter to the free procedure so it can be properly incremented before storage/smap locking.

Reference

https://git.kernel.org/stable/c/6ecb9fa14eec5f15d97c84c36896871335f6ddfb https://git.kernel.org/stable/c/c78f4afbd962f43a3989f45f3ca04300252b19b5 https://git.kernel.org/stable/c/fac674d2bd68f3479f27328626b42d1eebd11fef https://git.kernel.org/stable/c/fcec95b4ab3e7bc6b2f36e5d59f7e24104ea87f7

Share on: