{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-42239", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-30T07:40:12.253Z", "datePublished": "2024-08-07T15:14:27.382Z", "dateUpdated": "2024-09-11T17:34:31.803Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-08-07T15:14:27.382Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fail bpf_timer_cancel when callback is being cancelled\n\nGiven a schedule:\n\ntimer1 cb\t\t\ttimer2 cb\n\nbpf_timer_cancel(timer2);\tbpf_timer_cancel(timer1);\n\nBoth bpf_timer_cancel calls would wait for the other callback to finish\nexecuting, introducing a lockup.\n\nAdd an atomic_t count named 'cancelling' in bpf_hrtimer. This keeps\ntrack of all in-flight cancellation requests for a given BPF timer.\nWhenever cancelling a BPF timer, we must check if we have outstanding\ncancellation requests, and if so, we must fail the operation with an\nerror (-EDEADLK) since cancellation is synchronous and waits for the\ncallback to finish executing. This implies that we can enter a deadlock\nsituation involving two or more timer callbacks executing in parallel\nand attempting to cancel one another.\n\nNote that we avoid incrementing the cancelling counter for the target\ntimer (the one being cancelled) if bpf_timer_cancel is not invoked from\na callback, to avoid spurious errors. The whole point of detecting\ncur->cancelling and returning -EDEADLK is to not enter a busy wait loop\n(which may or may not lead to a lockup). This does not apply in case the\ncaller is in a non-callback context, the other side can continue to\ncancel as it sees fit without running into errors.\n\nBackground on prior attempts:\n\nEarlier versions of this patch used a bool 'cancelling' bit and used the\nfollowing pattern under timer->lock to publish cancellation status.\n\nlock(t->lock);\nt->cancelling = true;\nmb();\nif (cur->cancelling)\n\treturn -EDEADLK;\nunlock(t->lock);\nhrtimer_cancel(t->timer);\nt->cancelling = false;\n\nThe store outside the critical section could overwrite a parallel\nrequests t->cancelling assignment to true, to ensure the parallely\nexecuting callback observes its cancellation status.\n\nIt would be necessary to clear this cancelling bit once hrtimer_cancel\nis done, but lack of serialization introduced races. Another option was\nexplored where bpf_timer_start would clear the bit when (re)starting the\ntimer under timer->lock. This would ensure serialized access to the\ncancelling bit, but may allow it to be cleared before in-flight\nhrtimer_cancel has finished executing, such that lockups can occur\nagain.\n\nThus, we choose an atomic counter to keep track of all outstanding\ncancellation requests and use it to prevent lockups in case callbacks\nattempt to cancel each other while executing in parallel."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/helpers.c"], "versions": [{"version": "b00628b1c7d5", "lessThan": "936983051868", "status": "affected", "versionType": "git"}, {"version": "b00628b1c7d5", "lessThan": "3e4e8178a866", "status": "affected", "versionType": "git"}, {"version": "b00628b1c7d5", "lessThan": "d4523831f07a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/helpers.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.41", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.9.10", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/9369830518688ecd5b08ffc08ab3302ce2b5d0f7"}, {"url": "https://git.kernel.org/stable/c/3e4e8178a8666c56813bd167b848fca0f4c9af0a"}, {"url": "https://git.kernel.org/stable/c/d4523831f07a267a943f0dde844bf8ead7495f13"}], "title": "bpf: Fail bpf_timer_cancel when callback is being cancelled", "x_generator": {"engine": "bippy-c9c4e1df01b2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-42239", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:13:54.505425Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:31.803Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-42239", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:13:54.505425Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:24.240Z"}}], "cna": {"title": "bpf: Fail bpf_timer_cancel when callback is being cancelled", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "b00628b1c7d5", "lessThan": "936983051868", "versionType": "git"}, {"status": "affected", "version": "b00628b1c7d5", "lessThan": "3e4e8178a866", "versionType": "git"}, {"status": "affected", "version": "b00628b1c7d5", "lessThan": "d4523831f07a", "versionType": "git"}], "programFiles": ["kernel/bpf/helpers.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.15"}, {"status": "unaffected", "version": "0", "lessThan": "5.15", "versionType": "custom"}, {"status": "unaffected", "version": "6.6.41", "versionType": "custom", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.9.10", "versionType": "custom", "lessThanOrEqual": "6.9.*"}, {"status": "unaffected", "version": "6.10", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["kernel/bpf/helpers.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/9369830518688ecd5b08ffc08ab3302ce2b5d0f7"}, {"url": "https://git.kernel.org/stable/c/3e4e8178a8666c56813bd167b848fca0f4c9af0a"}, {"url": "https://git.kernel.org/stable/c/d4523831f07a267a943f0dde844bf8ead7495f13"}], "x_generator": {"engine": "bippy-c9c4e1df01b2"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fail bpf_timer_cancel when callback is being cancelled\n\nGiven a schedule:\n\ntimer1 cb\t\t\ttimer2 cb\n\nbpf_timer_cancel(timer2);\tbpf_timer_cancel(timer1);\n\nBoth bpf_timer_cancel calls would wait for the other callback to finish\nexecuting, introducing a lockup.\n\nAdd an atomic_t count named 'cancelling' in bpf_hrtimer. This keeps\ntrack of all in-flight cancellation requests for a given BPF timer.\nWhenever cancelling a BPF timer, we must check if we have outstanding\ncancellation requests, and if so, we must fail the operation with an\nerror (-EDEADLK) since cancellation is synchronous and waits for the\ncallback to finish executing. This implies that we can enter a deadlock\nsituation involving two or more timer callbacks executing in parallel\nand attempting to cancel one another.\n\nNote that we avoid incrementing the cancelling counter for the target\ntimer (the one being cancelled) if bpf_timer_cancel is not invoked from\na callback, to avoid spurious errors. The whole point of detecting\ncur->cancelling and returning -EDEADLK is to not enter a busy wait loop\n(which may or may not lead to a lockup). This does not apply in case the\ncaller is in a non-callback context, the other side can continue to\ncancel as it sees fit without running into errors.\n\nBackground on prior attempts:\n\nEarlier versions of this patch used a bool 'cancelling' bit and used the\nfollowing pattern under timer->lock to publish cancellation status.\n\nlock(t->lock);\nt->cancelling = true;\nmb();\nif (cur->cancelling)\n\treturn -EDEADLK;\nunlock(t->lock);\nhrtimer_cancel(t->timer);\nt->cancelling = false;\n\nThe store outside the critical section could overwrite a parallel\nrequests t->cancelling assignment to true, to ensure the parallely\nexecuting callback observes its cancellation status.\n\nIt would be necessary to clear this cancelling bit once hrtimer_cancel\nis done, but lack of serialization introduced races. Another option was\nexplored where bpf_timer_start would clear the bit when (re)starting the\ntimer under timer->lock. This would ensure serialized access to the\ncancelling bit, but may allow it to be cleared before in-flight\nhrtimer_cancel has finished executing, such that lockups can occur\nagain.\n\nThus, we choose an atomic counter to keep track of all outstanding\ncancellation requests and use it to prevent lockups in case callbacks\nattempt to cancel each other while executing in parallel."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-08-07T15:14:27.382Z"}}}, "cveMetadata": {"cveId": "CVE-2024-42239", "state": "PUBLISHED", "dateUpdated": "2024-09-11T17:34:31.803Z", "dateReserved": "2024-07-30T07:40:12.253Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-08-07T15:14:27.382Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA87C02E-A4BF-4FD7-AE47-A2AB23061A91", "versionEndExcluding": "6.6.41", "versionStartIncluding": "5.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB2E8DEC-CFD5-4C2B-981D-E7E45A36C352", "versionEndExcluding": "6.9.10", "versionStartIncluding": "6.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fail bpf_timer_cancel when callback is being cancelled\n\nGiven a schedule:\n\ntimer1 cb\t\t\ttimer2 cb\n\nbpf_timer_cancel(timer2);\tbpf_timer_cancel(timer1);\n\nBoth bpf_timer_cancel calls would wait for the other callback to finish\nexecuting, introducing a lockup.\n\nAdd an atomic_t count named 'cancelling' in bpf_hrtimer. This keeps\ntrack of all in-flight cancellation requests for a given BPF timer.\nWhenever cancelling a BPF timer, we must check if we have outstanding\ncancellation requests, and if so, we must fail the operation with an\nerror (-EDEADLK) since cancellation is synchronous and waits for the\ncallback to finish executing. This implies that we can enter a deadlock\nsituation involving two or more timer callbacks executing in parallel\nand attempting to cancel one another.\n\nNote that we avoid incrementing the cancelling counter for the target\ntimer (the one being cancelled) if bpf_timer_cancel is not invoked from\na callback, to avoid spurious errors. The whole point of detecting\ncur->cancelling and returning -EDEADLK is to not enter a busy wait loop\n(which may or may not lead to a lockup). This does not apply in case the\ncaller is in a non-callback context, the other side can continue to\ncancel as it sees fit without running into errors.\n\nBackground on prior attempts:\n\nEarlier versions of this patch used a bool 'cancelling' bit and used the\nfollowing pattern under timer->lock to publish cancellation status.\n\nlock(t->lock);\nt->cancelling = true;\nmb();\nif (cur->cancelling)\n\treturn -EDEADLK;\nunlock(t->lock);\nhrtimer_cancel(t->timer);\nt->cancelling = false;\n\nThe store outside the critical section could overwrite a parallel\nrequests t->cancelling assignment to true, to ensure the parallely\nexecuting callback observes its cancellation status.\n\nIt would be necessary to clear this cancelling bit once hrtimer_cancel\nis done, but lack of serialization introduced races. Another option was\nexplored where bpf_timer_start would clear the bit when (re)starting the\ntimer under timer->lock. This would ensure serialized access to the\ncancelling bit, but may allow it to be cleared before in-flight\nhrtimer_cancel has finished executing, such that lockups can occur\nagain.\n\nThus, we choose an atomic counter to keep track of all outstanding\ncancellation requests and use it to prevent lockups in case callbacks\nattempt to cancel each other while executing in parallel."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: falla bpf_timer_cancel cuando se cancela la devoluci\u00f3n de llamada. Dada una programaci\u00f3n: timer1 cb timer2 cb bpf_timer_cancel(timer2); bpf_timer_cancel(timer1); Ambas llamadas a bpf_timer_cancel esperar\u00edan a que la otra devoluci\u00f3n de llamada termine de ejecutarse, introduciendo un bloqueo. Agregue un recuento atomic_t llamado 'cancelaci\u00f3n' en bpf_hrtimer. Esto realiza un seguimiento de todas las solicitudes de cancelaci\u00f3n en vuelo para un temporizador BPF determinado. Siempre que cancelemos un temporizador BPF, debemos verificar si tenemos solicitudes de cancelaci\u00f3n pendientes y, de ser as\u00ed, debemos fallar la operaci\u00f3n con un error (-EDEADLK) ya que la cancelaci\u00f3n es sincr\u00f3nica y espera a que termine de ejecutarse la devoluci\u00f3n de llamada. Esto implica que podemos entrar en una situaci\u00f3n de punto muerto que involucre dos o m\u00e1s devoluciones de llamada de temporizador ejecut\u00e1ndose en paralelo e intentando cancelarse entre s\u00ed. Tenga en cuenta que evitamos incrementar el contador de cancelaci\u00f3n para el temporizador de destino (el que se cancela) si no se invoca bpf_timer_cancel desde una devoluci\u00f3n de llamada, para evitar errores falsos. El objetivo de detectar cur->cancelar y devolver -EDEADLK es no ingresar a un ciclo de espera ocupado (que puede o no conducir a un bloqueo). Esto no se aplica en caso de que la persona que llama se encuentre en un contexto sin devoluci\u00f3n de llamada; la otra parte puede continuar cancelando como mejor le parezca sin cometer errores. Antecedentes de intentos anteriores: Las versiones anteriores de este parche usaban un bit bool de 'cancelaci\u00f3n' y usaban el siguiente patr\u00f3n en temporizador->bloqueo para publicar el estado de cancelaci\u00f3n. lock(t->lock); t->cancelling = true; mb(); if (cur->cancelling) return -EDEADLK; unlock(t->lock); hrtimer_cancel(t->timer); t->cancelling = false; El almac\u00e9n fuera de la secci\u00f3n cr\u00edtica podr\u00eda sobrescribir una asignaci\u00f3n de cancelaci\u00f3n t->de solicitudes paralelas a verdadero, para garantizar que la devoluci\u00f3n de llamada que se ejecuta en paralelo observe su estado de cancelaci\u00f3n. Ser\u00eda necesario borrar este bit de cancelaci\u00f3n una vez que se complete hrtimer_cancel, pero la falta de serializaci\u00f3n introdujo ejecuciones. Se explor\u00f3 otra opci\u00f3n donde bpf_timer_start borrar\u00eda el bit al (re)iniciar el temporizador bajo temporizador->bloqueo. Esto garantizar\u00eda el acceso serializado al bit de cancelaci\u00f3n, pero puede permitir que se borre antes de que hrtimer_cancel en vuelo haya terminado de ejecutarse, de modo que los bloqueos puedan ocurrir nuevamente. Por lo tanto, elegimos un contador at\u00f3mico para realizar un seguimiento de todas las solicitudes de cancelaci\u00f3n pendientes y lo utilizamos para evitar bloqueos en caso de que las devoluciones de llamada intenten cancelarse entre s\u00ed mientras se ejecutan en paralelo."}], "id": "CVE-2024-42239", "lastModified": "2024-08-08T14:54:08.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-08-07T16:15:46.733", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3e4e8178a8666c56813bd167b848fca0f4c9af0a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9369830518688ecd5b08ffc08ab3302ce2b5d0f7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d4523831f07a267a943f0dde844bf8ead7495f13"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-667"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: bpf: Fail bpf_timer_cancel when callback is being cancelled", "id": "2303507", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2303507"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-99", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nbpf: Fail bpf_timer_cancel when callback is being cancelled\nGiven a schedule:\ntimer1 cbtimer2 cb\nbpf_timer_cancel(timer2);bpf_timer_cancel(timer1);\nBoth bpf_timer_cancel calls would wait for the other callback to finish\nexecuting, introducing a lockup.\nAdd an atomic_t count named 'cancelling' in bpf_hrtimer. This keeps\ntrack of all in-flight cancellation requests for a given BPF timer.\nWhenever cancelling a BPF timer, we must check if we have outstanding\ncancellation requests, and if so, we must fail the operation with an\nerror (-EDEADLK) since cancellation is synchronous and waits for the\ncallback to finish executing. This implies that we can enter a deadlock\nsituation involving two or more timer callbacks executing in parallel\nand attempting to cancel one another.\nNote that we avoid incrementing the cancelling counter for the target\ntimer (the one being cancelled) if bpf_timer_cancel is not invoked from\na callback, to avoid spurious errors. The whole point of detecting\ncur->cancelling and returning -EDEADLK is to not enter a busy wait loop\n(which may or may not lead to a lockup). This does not apply in case the\ncaller is in a non-callback context, the other side can continue to\ncancel as it sees fit without running into errors.\nBackground on prior attempts:\nEarlier versions of this patch used a bool 'cancelling' bit and used the\nfollowing pattern under timer->lock to publish cancellation status.\nlock(t->lock);\nt->cancelling = true;\nmb();\nif (cur->cancelling)\nreturn -EDEADLK;\nunlock(t->lock);\nhrtimer_cancel(t->timer);\nt->cancelling = false;\nThe store outside the critical section could overwrite a parallel\nrequests t->cancelling assignment to true, to ensure the parallely\nexecuting callback observes its cancellation status.\nIt would be necessary to clear this cancelling bit once hrtimer_cancel\nis done, but lack of serialization introduced races. Another option was\nexplored where bpf_timer_start would clear the bit when (re)starting the\ntimer under timer->lock. This would ensure serialized access to the\ncancelling bit, but may allow it to be cleared before in-flight\nhrtimer_cancel has finished executing, such that lockups can occur\nagain.\nThus, we choose an atomic counter to keep track of all outstanding\ncancellation requests and use it to prevent lockups in case callbacks\nattempt to cancel each other while executing in parallel."], "name": "CVE-2024-42239", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-08-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-42239\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-42239\nhttps://lore.kernel.org/linux-cve-announce/2024080740-CVE-2024-42239-a15f@gregkh/T"], "threat_severity": "Moderate"}