Homepage
About Snyk

Race Condition Affecting kernel package, versions *

Severity

 Recommended
0.0
medium
0
10

Based on CentOS security rating

    Threat Intelligence

    EPSS
    0.05% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-CENTOS7-KERNEL-6562306
  • published 4 Apr 2024
  • disclosed 3 Apr 2024
Report a new vulnerability Found a mistake?

Introduced: 3 Apr 2024

CVE-2024-26737 Open this link in a new tab
CWE-362 Open this link in a new tab
CWE-416 Open this link in a new tab

How to fix?

There is no fixed version for Centos:7 kernel.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel package and not the kernel package as distributed by Centos. See How to fix? for Centos:7 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel

The following race is possible between bpf_timer_cancel_and_free and bpf_timer_cancel. It will lead a UAF on the timer->timer.

bpf_timer_cancel(); spin_lock(); t = timer->time; spin_unlock();

                bpf_timer_cancel_and_free();
                    spin_lock();
                    t = timer->timer;
                    timer->timer = NULL;
                    spin_unlock();
                    hrtimer_cancel(&t->timer);
                    kfree(t);


/* UAF on t */
hrtimer_cancel(&t->timer);

In bpf_timer_cancel_and_free, this patch frees the timer->timer after a rcu grace period. This requires a rcu_head addition to the "struct bpf_hrtimer". Another kfree(t) happens in bpf_timer_init, this does not need a kfree_rcu because it is still under the spin_lock and timer->timer has not been visible by others yet.

In bpf_timer_cancel, rcu_read_lock() is added because this helper can be used in a non rcu critical section context (e.g. from a sleepable bpf prog). Other timer->timer usages in helpers.c have been audited, bpf_timer_cancel() is the only place where timer->timer is used outside of the spin_lock.

Another solution considered is to mark a t->flag in bpf_timer_cancel and clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free, it busy waits for the flag to be cleared before kfree(t). This patch goes with a straight forward solution and frees timer->timer after a rcu grace period.

CVSS Scores

version 3.1
Expand this section

Red Hat

5.5 medium
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    None
  • Availability (A)
    High
Expand this section

SUSE

6.4 medium