The Linux kernel has recently patched a critical vulnerability (CVE-2024-38662) that involves the BPF program and its interaction with sockmap/sockhash maps. This vulnerability was reported by numerous syzkaller reports and had the potential to cause a locking rule violation. The patch now only allows BPF programs that were previously able to update sockmap/sockhash maps to delete from these map types.

Details of the Vulnerability

The issue lies in the BPF program when it is attached to a tracepoint, and it triggers a locking rule violation by performing a map_delete operation on a sockmap/sockhash. This use case scenario was not intended to be supported. Before the patch, the verifier allowed-program-type check didn't cover deleting from a map when updating sockmap/sockhash.

The fix for this issue involves extending the existing verifier allowed-program-type check for updating sockmap/sockhash to also cover deleting from a map. This restricts which BPF programs can delete from these map types, ensuring only those with the necessary permissions can perform the operation.

Code Snippet

The changes made in the Linux kernel to resolve this vulnerability can be seen in the following code snippet:

-       if (map_delete == BPF_FUNC_map_delete_elem &&
-           (map_type == BPF_MAP_TYPE_SOCKMAP ||
-            map_type == BPF_MAP_TYPE_SOCKHASH)) {
+       if ((map_delete == BPF_FUNC_map_delete_elem ||
+            map_update == BPF_FUNC_map_update_elem) &&
+           (map_type == BPF_MAP_TYPE_SOCKMAP ||
+            map_type == BPF_MAP_TYPE_SOCKHASH) &&
+           !bpf_map_sock_update_allowed(map)) {
                        "map type %s is not allowed for update/delete\n",
                return -EACCES;

As seen in the code above, checks for map_delete and map_update functions are now combined under a single condition, ensuring that the same restrictions apply to both actions on a sockmap/sockhash map.

References and Exploit Details

This vulnerability was patched in the Linux kernel on commit 1f1be34. The original commit message provides more details about the vulnerability and the reasoning behind the specific changes made.

As of now, no known exploits have been seen in the wild as the main scenario where the vulnerability was found involves the syzkaller fuzzer. Users running the Linux kernel are encouraged to update their systems to the latest patch revision to avoid exposing themselves to potential risks related to this vulnerability.


CVE-2024-38662 is a critical vulnerability addressed in the Linux kernel that can cause locking rule violations for BPF programs interacting with sockmap/sockhash maps. The patch provided ensures that only BPF programs with update capabilities can delete from these map types. Users are advised to keep their Linux systems up to date to avoid any potential security risks due to this vulnerability.


Published on: 06/21/2024 12:15:11 UTC
Last modified on: 06/24/2024 18:34:17 UTC