In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
Inthe Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q >> * The caller must make sure that the static key can't get disabled while> * in this function. It doesn't patch jump labels, only adds a user to> * an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q >> * The caller must make sure that the static key can't get disabled while> * in this function. It doesn't patch jump labels, only adds a user to> * an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q >> * The caller must make sure that the static key can't get disabled while> * in this function. It doesn't patch jump labels, only adds a user to> * an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q >> * The caller must make sure that the static key can't get disabled while> * in this function. It doesn't patch jump labels, only adds a user to> * an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q >> * The caller must make sure that the static key can't get disabled while> * in this function. It doesn't patch jump labels, only adds a user to> * an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q >> * The caller must make sure that the static key can't get disabled while> * in this function. It doesn't patch jump labels, only adds a user to> * an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q >> * The caller must make sure that the static key can't get disabled while> * in this function. It doesn't patch jump labels, only adds a user to> * an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q >> * The caller must make sure that the static key can't get disabled while> * in this function. It doesn't patch jump labels, only adds a user to> * an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q >> * The caller must make sure that the static key can't get disabled while> * in this function. It doesn't patch jump labels, only adds a user to> * an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q >> * The caller must make sure that the static key can't get disabled while> * in this function. It doesn't patch jump labels, only adds a user to> * an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q >> * The caller must make sure that the static key can't get disabled while> * in this function. It doesn't patch jump labels, only adds a user to> * an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q >> * The caller must make sure that the static key can't get disabled while> * in this function. It doesn't patch jump labels, only adds a user to> * an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q >> * The caller must make sure that the static key can't get disabled while> * in this function. It doesn't patch jump labels, only adds a user to> * an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q >> * The caller must make sure that the static key can't get disabled while> * in this function. It doesn't patch jump labels, only adds a user to> * an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q >> * The caller must make sure that the static key can't get disabled while> * in this function. It doesn't patch jump labels, only adds a user to> * an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q >> * The caller must make sure that the static key can't get disabled while> * in this function. It doesn't patch jump labels, only adds a user to> * an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q >> * The caller must make sure that the static key can't get disabled while> * in this function. It doesn't patch jump labels, only adds a user to> * an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q >> * The caller must make sure that the static key can't get disabled while> * in this function. It doesn't patch jump labels, only adds a user to> * an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q >> * The caller must make sure that the static key can't get disabled while> * in this function. It doesn't patch jump labels, only adds a user to> * an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than asecondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass= q>> *The caller must make sure that the static key can't get disabled while> *in this function. It doesn't patch jump labels, only adds auser to> *an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation of afull socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just ahelper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and as aresult,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not atheoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX +PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more thana secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:<spanclass=q >>* The caller must make sure that the static key can't get disabled while>* in this function. It doesn't patch jump labels, only addsa user to>* an already enabled static key.</span>Originally it was introduced in commit eb8c507296f6 ("jump_label:Prevent key->enabled int overflow"), which is needed for the atomiccontexts, one of which would be the creation ofa full socket from arequest socket. In that atomic context, it's known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is justa helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it's not protected by jump_label_mutex and asa result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so nota theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU:3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX+ PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net/tcp:Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. Onthesocket destruction tcp_ao_info ceases tobewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definitionis: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed,HZ);which means that if RCU grace period is delayed by morethan a secondand tcp_ao_neededis in the process of disablement, other CPUs mayyet see tcp_ao_info which atentdead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().Seethe comment near the definition:<spanclass= q >> * Thecaller must make sure that the static key can't get disabledwhile> * in this function. It doesn't patch jump labels, only adds a user to>*an already enabledstatic key.</span>Originallyit was introduced in commit eb8c507296f6 ("jump_label:Preventkey->enabled int overflow"), which is needed forthe atomiccontexts, one ofwhich would be the creation of a full socket from arequest socket. In that atomic context, it's knownby thepresenceof thekey (md5/ao) that thestatic branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the staticbranch could get disabledin parallel as it's not protected by jump_label_mutex and as a result,raceswith jump_label_update()implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870[ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00))size:2 type:1[]------------[ cuthere ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode:0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme#1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: <ahref= https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr >https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr</a>The Linux kernel CVE team has assigned CVE-2024-43887 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThe lifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewith RCU grace period, while tcp-ao static branch is currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);which means that if RCU grace period is delayed by more than a secondand tcp_ao_needed is in the process of disablement, other CPUs mayyet see tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumption of static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller must make sure that the static key can t get disabled while> * in this function. It doesn t patch jump labels, only adds a user to> * an already enabled static key.Originally it was introduced in commit eb8c507296f6 ( jump_label:Prevent key->enabled int overflow ), which is needed for the atomiccontexts, one of which would be the creation of a full socket from arequest socket. In that atomic context, it s known by the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for that static branch is just incrementedinstead of holding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races with jump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[] kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] Call Trace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
| linux | | https://git.kernel.org/linus/14ab4792ee120c022f276a7e4768f4dcb08f0cdd | https://git.kernel.org/linus/67fa83f7c86a86913ab9cd5a13b4bebd8d2ebb43 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
IntheLinuxkernel,thefollowingvulnerabilityhas been resolved:net/tcp: Disable TCP-AO static key after RCU grace periodThelifetime of TCP-AO static_key is the same as the lasttcp_ao_info. On the socket destruction tcp_ao_info ceases to bewithRCUgrace period, while tcp-ao static branchis currently deferreddestructed. The static key definition is: DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed,HZ);which means that if RCU grace period is delayedby more than a secondand tcp_ao_needed is in the process ofdisablement, other CPUs mayyetsee tcp_ao_info which atent dead, but soon-to-be.And that breaks the assumptionof static_key_fast_inc_not_disabled().See the comment near the definition:> * The caller mustmake surethat the static key can t get disabled while> *in this function. It doesn t patch jump labels, only adds a userto> * an already enabled static key.Originally it was introduced in commit eb8c507296f6(jump_label:Preventkey->enabled int overflow ),which is needed for the atomiccontexts, one of which would be thecreation of a full socket from arequest socket. In thatatomic context, it s knownby the presenceof the key (md5/ao) that the static branch is already enabled.So, the ref counter for thatstaticbranch is justincrementedinstead ofholding the proper mutex.static_key_fast_inc_not_disabled() is just a helper for such usagecase. But it must not be used if the static branch could get disabledin parallel as it s not protected by jump_label_mutex and as a result,races withjump_label_update() implementation details.Happened on netdev test-bot[1], so not a theoretical issue:[]jump_label: Fatal kernelbug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1[] ------------[ cut here ]------------[]kernel BUG at arch/x86/kernel/jump_label.c:73![] Oops:invalid opcode:0000 [#1] PREEMPTSMP KASAN NOPTI[] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1[] Hardwarename: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org04/01/2014[] Workqueue: events jump_label_update_timeout[] RIP: 0010:__jump_label_patch+0x2f6/0x350...[] CallTrace:[] <TASK>[] arch_jump_label_transform_queue+0x6c/0x110[] __jump_label_update+0xef/0x350[] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60[] jump_label_update_timeout+0x2c/0x40[] process_one_work+0xe3b/0x1670[] worker_thread+0x587/0xce0[] kthread+0x28a/0x350[] ret_from_fork+0x31/0x70[] ret_from_fork_asm+0x1a/0x30[] </TASK>[] Modules linked in: veth[] ---[ end trace 0000000000000000 ]---[] RIP: 0010:__jump_label_patch+0x2f6/0x350[1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr
