CVE-2024-35860

{"id": "CVE-2024-35860", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-05-19T09:15:07.603", "references": [{"url": "https://git.kernel.org/stable/c/1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5d8d447777564b35f67000e7838e7ccb64d525c8", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/876941f533e7b47fc69977fc4551c02f2d18af97", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/5d8d447777564b35f67000e7838e7ccb64d525c8", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/876941f533e7b47fc69977fc4551c02f2d18af97", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: support deferring bpf_link dealloc to after RCU grace period\n\nBPF link for some program types is passed as a \"context\" which can be\nused by those BPF programs to look up additional information. E.g., for\nmulti-kprobes and multi-uprobes, link is used to fetch BPF cookie values.\n\nBecause of this runtime dependency, when bpf_link refcnt drops to zero\nthere could still be active BPF programs running accessing link data.\n\nThis patch adds generic support to defer bpf_link dealloc callback to\nafter RCU GP, if requested. This is done by exposing two different\ndeallocation callbacks, one synchronous and one deferred. If deferred\none is provided, bpf_link_free() will schedule dealloc_deferred()\ncallback to happen after RCU GP.\n\nBPF is using two flavors of RCU: \"classic\" non-sleepable one and RCU\ntasks trace one. The latter is used when sleepable BPF programs are\nused. bpf_link_free() accommodates that by checking underlying BPF\nprogram's sleepable flag, and goes either through normal RCU GP only for\nnon-sleepable, or through RCU tasks trace GP *and* then normal RCU GP\n(taking into account rcu_trace_implies_rcu_gp() optimization), if BPF\nprogram is sleepable.\n\nWe use this for multi-kprobe and multi-uprobe links, which dereference\nlink during program run. We also preventively switch raw_tp link to use\ndeferred dealloc callback, as upcoming changes in bpf-next tree expose\nraw_tp link data (specifically, cookie value) to BPF program at runtime\nas well."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: bpf: se admite el aplazamiento de la asignaci\u00f3n de bpf_link despu\u00e9s del per\u00edodo de gracia de RCU. El enlace BPF para algunos tipos de programas se pasa como un \"contexto\" que pueden utilizar esos programas BPF para buscar informaci\u00f3n adicional. Por ejemplo, para multi-kprobes y multi-uprobes, el enlace se utiliza para recuperar valores de cookies BPF. Debido a esta dependencia del tiempo de ejecuci\u00f3n, cuando bpf_link refcnt cae a cero, todav\u00eda podr\u00eda haber programas BPF activos ejecut\u00e1ndose y accediendo a los datos del enlace. Este parche agrega soporte gen\u00e9rico para diferir la devoluci\u00f3n de llamada de bpf_link dealloc despu\u00e9s de RCU GP, si se solicita. Esto se hace exponiendo dos devoluciones de llamada de desasignaci\u00f3n diferentes, una sincr\u00f3nica y otra diferida. Si se proporciona uno diferido, bpf_link_free() programar\u00e1 la devoluci\u00f3n de llamada de dealloc_deferred() para que se realice despu\u00e9s de RCU GP. BPF utiliza dos tipos de RCU: uno \"cl\u00e1sico\" que no se puede dormir y uno de seguimiento de tareas de RCU. Este \u00faltimo se utiliza cuando se utilizan programas BPF que se pueden dormir. bpf_link_free() se adapta a eso al verificar el indicador de suspensi\u00f3n del programa BPF subyacente, y pasa por la GP de RCU normal solo para los no dormidos, o a trav\u00e9s de tareas de RCU rastrean la GP *y* luego la GP de RCU normal (teniendo en cuenta la optimizaci\u00f3n de rcu_trace_implies_rcu_gp()), si El programa BPF se puede dormir. Usamos esto para enlaces multi-kprobe y multi-uprobe, que desreferencian el enlace durante la ejecuci\u00f3n del programa. Tambi\u00e9n cambiamos preventivamente el enlace raw_tp para usar la devoluci\u00f3n de llamada de dealloc diferida, ya que los pr\u00f3ximos cambios en el \u00e1rbol bpf-next tambi\u00e9n exponen los datos del enlace raw_tp (espec\u00edficamente, el valor de la cookie) al programa BPF en tiempo de ejecuci\u00f3n."}], "lastModified": "2025-09-26T16:03:27.003", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BAFF545A-B677-4A95-8623-C54ED5D40C3D", "versionEndExcluding": "6.6.26", "versionStartIncluding": "5.18"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DBD6C99E-4250-4DFE-8447-FF2075939D10", "versionEndExcluding": "6.8.5", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "22BEDD49-2C6D-402D-9DBF-6646F6ECD10B"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}