Amazon Linux 2023: CVE-2024-26737: Important priority package update for kernel

Amazon Linux 2023: CVE-2024-26737: Important priority package update for kernel

Severity

5

CVSS

(AV:L/AC:L/Au:S/C:N/I:N/A:C)

Published

04/03/2024

Created

02/14/2025

Added

02/14/2025

Modified

02/14/2025

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel The following race is possible between bpf_timer_cancel_and_free and bpf_timer_cancel. It will lead a UAF on the timer->timer. bpf_timer_cancel(); spin_lock(); t = timer->time; spin_unlock(); bpf_timer_cancel_and_free(); spin_lock(); t = timer->timer; timer->timer = NULL; spin_unlock(); hrtimer_cancel(&t->timer); kfree(t); /* UAF on t */ hrtimer_cancel(&t->timer); In bpf_timer_cancel_and_free, this patch frees the timer->timer after a rcu grace period. This requires a rcu_head addition to the "struct bpf_hrtimer". Another kfree(t) happens in bpf_timer_init, this does not need a kfree_rcu because it is still under the spin_lock and timer->timer has not been visible by others yet. In bpf_timer_cancel, rcu_read_lock() is added because this helper can be used in a non rcu critical section context (e.g. from a sleepable bpf prog). Other timer->timer usages in helpers.c have been audited, bpf_timer_cancel() is the only place where timer->timer is used outside of the spin_lock. Another solution considered is to mark a t->flag in bpf_timer_cancel and clear it after hrtimer_cancel() is done.In bpf_timer_cancel_and_free, it busy waits for the flag to be cleared before kfree(t). This patch goes with a straight forward solution and frees timer->timer after a rcu grace period. A use-after-free flaw was found in the Linux kernel’s BPF functionality. This flaw allows a local user to crash the system.

Solution(s)

• amazon-linux-2023-upgrade-bpftool
• amazon-linux-2023-upgrade-bpftool-debuginfo
• amazon-linux-2023-upgrade-kernel
• amazon-linux-2023-upgrade-kernel-debuginfo
• amazon-linux-2023-upgrade-kernel-debuginfo-common-aarch64
• amazon-linux-2023-upgrade-kernel-debuginfo-common-x86-64
• amazon-linux-2023-upgrade-kernel-devel
• amazon-linux-2023-upgrade-kernel-headers
• amazon-linux-2023-upgrade-kernel-libbpf
• amazon-linux-2023-upgrade-kernel-libbpf-devel
• amazon-linux-2023-upgrade-kernel-libbpf-static
• amazon-linux-2023-upgrade-kernel-livepatch-6-1-82-99-168
• amazon-linux-2023-upgrade-kernel-modules-extra
• amazon-linux-2023-upgrade-kernel-modules-extra-common
• amazon-linux-2023-upgrade-kernel-tools
• amazon-linux-2023-upgrade-kernel-tools-debuginfo
• amazon-linux-2023-upgrade-kernel-tools-devel
• amazon-linux-2023-upgrade-perf
• amazon-linux-2023-upgrade-perf-debuginfo
• amazon-linux-2023-upgrade-python3-perf
• amazon-linux-2023-upgrade-python3-perf-debuginfo

References

• https://attackerkb.com/topics/cve-2024-26737
• CVE - 2024-26737
• https://alas.aws.amazon.com/AL2023/ALAS-2024-784.html