Bug 2159764 (CVE-2023-0160) - CVE-2023-0160 kernel: possibility of deadlock in libbpf function sock_hash_delete_elem
Summary: CVE-2023-0160 kernel: possibility of deadlock in libbpf function sock_hash_de...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2023-0160
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2167769 2223191
Blocks: 2151485
TreeView+ depends on / blocked
 
Reported: 2023-01-10 16:03 UTC by Alex
Modified: 2023-08-13 21:41 UTC (History)
50 users (show)

Fixed In Version: kernel 6.4-rc1
Doc Type: If docs needed, set a value
Doc Text:
A deadlock flaw was found in the Linux kernel’s BPF subsystem. The fail happens in the function sock_hash_delete_elem. This flaw allows a local user to potentially crash the system.
Clone Of:
Environment:
Last Closed: 2023-03-23 16:18:03 UTC
Embargoed:


Attachments (Terms of Use)

Description Alex 2023-01-10 16:03:13 UTC
A Linux Kernel flaw deadlock found in the BPF. Existing reproducer allows to trigger a lockdep warning. Tested with kernel v5.15.25 and v5.19. The fail happens in the function sock_hash_delete_elem:

 Possible interrupt unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&htab->buckets[i].lock);
                               local_irq_disable();
                               lock(&rq->__lock);
                               lock(&htab->buckets[i].lock);
  <Interrupt>
    lock(&rq->__lock);

 *** DEADLOCK ***

Comment 5 Product Security DevOps Team 2023-03-23 16:18:00 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-0160

Comment 6 Salvatore Bonaccorso 2023-03-24 05:04:59 UTC
Hi Alex,

(In reply to Alex from comment #0)
> A Linux Kernel flaw deadlock found in the BPF. Existing reproducer allows to
> trigger a lockdep warning. Tested with kernel v5.15.25 and v5.19. The fail
> happens in the function sock_hash_delete_elem:
> 
>  Possible interrupt unsafe locking scenario:
> 
>        CPU0                    CPU1
>        ----                    ----
>   lock(&htab->buckets[i].lock);
>                                local_irq_disable();
>                                lock(&rq->__lock);
>                                lock(&htab->buckets[i].lock);
>   <Interrupt>
>     lock(&rq->__lock);
> 
>  *** DEADLOCK ***

Are there any cross-references for this, i.e. where it originates
from and was it ever fixed upstream?

I'm asking to properly track the CVE in Debian.

Regards,
Salvatore

Comment 7 Salvatore Bonaccorso 2023-03-24 05:07:07 UTC
https://lore.kernel.org/lkml/CABcoxUayum5oOqFMMqAeWuS8+EzojquSOSyDA3J_2omY=2EeAg@mail.gmail.com/ might be the relevant report upstream.

Comment 8 Alex 2023-03-26 07:06:19 UTC
In reply to comment #6:
> Hi Alex,
> 
> (In reply to Alex from comment #0)
> > A Linux Kernel flaw deadlock found in the BPF. Existing reproducer allows to
> > trigger a lockdep warning. Tested with kernel v5.15.25 and v5.19. The fail
> > happens in the function sock_hash_delete_elem:
> > 
> >  Possible interrupt unsafe locking scenario:
> > 
> >        CPU0                    CPU1
> >        ----                    ----
> >   lock(&htab->buckets[i].lock);
> >                                local_irq_disable();
> >                                lock(&rq->__lock);
> >                                lock(&htab->buckets[i].lock);
> >   <Interrupt>
> >     lock(&rq->__lock);
> > 
> >  *** DEADLOCK ***
> 
> Are there any cross-references for this, i.e. where it originates
> from and was it ever fixed upstream?
> 
> I'm asking to properly track the CVE in Debian.
> 
> Regards,
> Salvatore

Hi Salvatore,
Yes, currently the only discussions happens (and likely patch not ready yet):
https://lore.kernel.org/all/CABcoxUayum5oOqFMMqAeWuS8+EzojquSOSyDA3J_2omY=2EeAg@mail.gmail.com/

You may ask reporter Hsin-Wei Hung to inform you when it ready.
Or ask John Fastabend , because he said (in the same discussion): "Thanks, I'll take a look.".

Alex

Comment 9 Alex 2023-07-16 11:24:39 UTC
Got reply from the reporter regarding this one:

Hi Alex,

The bug was fixed in ed17aa92dc56 ("bpf, sockmap: Revert buggy deadlock fix
in the sockhash and sockmap")

The fix basically disables hardirq instead of only softirq in the critical
section in delete() in sockmap/sockhash since an element can be deleted
from an eBPF program in the interrupt context (hardirq).

Thanks,
Hsin-Wei

Comment 10 Alex 2023-07-16 11:44:16 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2223191]

Comment 11 Justin M. Forbes 2023-07-18 18:37:02 UTC
This was fixed for Fedora with the 6.2.15 stable kernel updates.

Comment 12 Steve Beattie 2023-07-18 19:43:20 UTC
Unfortunately, ed17aa92dc56 ("bpf, sockmap: Revert buggy deadlock fix in the sockhash and sockmap") was reverted upstream in 8c5c2a4898e3 ("bpf, sockmap: Revert buggy deadlock fix in the sockhash and sockmap"), which was also backported as part of the 6.2.15 stable kernel update (commit 3cd6ab3b5451).


Note You need to log in before you can comment on or make changes to this bug.