A Linux kernel vulnerability, CVE-2024-56786, has recently been resolved, specifically in regard to the BPF (Berkeley Packet Filter) link functionality. This post will provide details about this vulnerability, including code snippets and original references to related material.

Vulnerability Description

The core issue of this vulnerability lies in the incorrect assumption about the BPF link's underlying BPF program being reachable through the attach hook -> link -> prog chain. Due to the early bpf_prog_put() call, there may be a possibility of freeing the BPF program before freeing the BPF link. This may result in a potential use-after-free situation.

The Resolution

This vulnerability has been addressed and fixed by deferring the bpf_prog_put() call until the BPF link is ready for deallocation. Although this resolution may result in a slight delay in freeing the BPF program, it saves the system from a potential use-after-free vulnerability. Also, to reduce code duplication, a new helper function, bpf_link_dealloc() has been introduced to deal with program put and link deallocation. You can find the code snippet of this functionality below:

/* Put BPF program and deallocate the link. */
static void bpf_link_dealloc(struct bpf_link *link)
{
    struct bpf_prog *prog = link->prog;

    /* Deallocate the BPF link. */
    kfree(link);

    /* Put the BPF program. */
    if (prog)
        bpf_prog_put(prog);
}

This patch effectively resolves the vulnerability and ensures that BPF links that utilize deferred dealloc operations notice slightly delayed freeing of BPF programs.

Original References

Below are some links to the original references where you can find detailed technical explanations and discussions on this vulnerability:

- bpf: put bpf_link's program when link is safe to be deallocated (commit)
- bpf: put bpf_link's program when link is safe to be deallocated (patch)

Exploit Details

While there are no known public exploits for this vulnerability at the moment, it highlights the importance of keeping your Linux kernel up-to-date and patched against such vulnerabilities. Stay vigilant and ensure your systems have the latest security fixes in place.

In conclusion, CVE-2024-56786 has been resolved and patched in the Linux kernel, and users are encouraged to update their systems to ensure they remain protected from this vulnerability. By deferring the bpf_prog_put() call and introducing the bpf_link_dealloc() helper function, the vulnerability has been mitigated, providing a safer environment for Linux users.

Timeline

Published on: 01/08/2025 18:15:19 UTC
Last modified on: 01/10/2025 18:53:06 UTC