In the Linux kernel, the following vulnerability has been resolved:
bpf: reject unhashed sockets in bpf_sk_assign
The semantics for bpf_sk_assign are as follows:
sk = some_lookup_func()
bpf_sk_assign(skb, sk)
bpf_sk_release(sk)
That is, the sk is not consumed by bpf_sk_assign. The function therefore needs to make sure that sk lives long enough to be consumed from __inet_lookup_skb. The path through the stack for a TCPv4 packet is roughly:
netif_receive_skb_core: takes RCU read lock __netif_receive_skb_core: sch_handle_ingress: tcf_classify: bpf_sk_assign() deliver_ptype_list_skb: deliver_skb: ip_packet_type->func == ip_rcv: ip_rcv_core: ip_rcv_finish_core: dst_input: ip_local_deliver: ip_local_deliver_finish: ip_protocol_deliver_rcu: tcp_v4_rcv: __inet_lookup_skb: skb_steal_sock
The existing helper takes advantage of the fact that everything happens in the same RCU critical section: for sockets with SOCK_RCU_FREE set bpf_sk_assign never takes a reference. skb_steal_sock then checks SOCK_RCU_FREE again and does sock_put if necessary.
This approach assumes that SOCK_RCU_FREE is never set on a sk between bpf_sk_assign and skb_steal_sock, but this invariant is violated by unhashed UDP sockets. A new UDP socket is created in TCP_CLOSE state but without SOCK_RCU_FREE set. That flag is only added in udp_lib_get_port() which happens when a socket is bound.
When bpf_sk_assign was added it wasnt possible to access unhashed UDP sockets from BPF, so this wasnt a problem. This changed in commit 0c48eefae712 (sock_map: Lift socket state restriction for datagram sockets), but the helper wasnt adjusted accordingly. The following sequence of events will therefore lead to a refcount leak:
Fix the problem by rejecting unhashed sockets in bpf_sk_assign(). This matches the behaviour of __inet_lookup_skb which is ultimately the goal of bpf_sk_assign().
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Linux | Ubuntu | jammy | * |
| Linux | Ubuntu | upstream | * |
| Linux-allwinner-5.19 | Ubuntu | jammy | * |
| Linux-allwinner-5.19 | Ubuntu | upstream | * |
| Linux-aws | Ubuntu | jammy | * |
| Linux-aws | Ubuntu | upstream | * |
| Linux-aws-5.0 | Ubuntu | bionic | * |
| Linux-aws-5.0 | Ubuntu | esm-infra/bionic | * |
| Linux-aws-5.0 | Ubuntu | upstream | * |
| Linux-aws-5.11 | Ubuntu | esm-infra/focal | * |
| Linux-aws-5.11 | Ubuntu | focal | * |
| Linux-aws-5.11 | Ubuntu | upstream | * |
| Linux-aws-5.13 | Ubuntu | esm-infra/focal | * |
| Linux-aws-5.13 | Ubuntu | focal | * |
| Linux-aws-5.13 | Ubuntu | upstream | * |
| Linux-aws-5.15 | Ubuntu | focal | * |
| Linux-aws-5.15 | Ubuntu | upstream | * |
| Linux-aws-5.19 | Ubuntu | jammy | * |
| Linux-aws-5.19 | Ubuntu | upstream | * |
| Linux-aws-5.3 | Ubuntu | bionic | * |
| Linux-aws-5.3 | Ubuntu | esm-infra/bionic | * |
| Linux-aws-5.3 | Ubuntu | upstream | * |
| Linux-aws-5.4 | Ubuntu | upstream | * |
| Linux-aws-5.8 | Ubuntu | esm-infra/focal | * |
| Linux-aws-5.8 | Ubuntu | focal | * |
| Linux-aws-5.8 | Ubuntu | upstream | * |
| Linux-aws-6.14 | Ubuntu | upstream | * |
| Linux-aws-6.2 | Ubuntu | jammy | * |
| Linux-aws-6.2 | Ubuntu | upstream | * |
| Linux-aws-6.5 | Ubuntu | jammy | * |
| Linux-aws-6.5 | Ubuntu | upstream | * |
| Linux-aws-6.8 | Ubuntu | upstream | * |
| Linux-aws-fips | Ubuntu | fips-preview/jammy | * |
| Linux-aws-fips | Ubuntu | fips-updates/jammy | * |
| Linux-aws-fips | Ubuntu | trusty | * |
| Linux-aws-fips | Ubuntu | upstream | * |
| Linux-aws-fips | Ubuntu | xenial | * |
| Linux-aws-hwe | Ubuntu | upstream | * |
| Linux-azure | Ubuntu | bionic | * |
| Linux-azure | Ubuntu | esm-infra/bionic | * |
| Linux-azure | Ubuntu | jammy | * |
| Linux-azure | Ubuntu | upstream | * |
| Linux-azure-4.15 | Ubuntu | upstream | * |
| Linux-azure-5.11 | Ubuntu | esm-infra/focal | * |
| Linux-azure-5.11 | Ubuntu | focal | * |
| Linux-azure-5.11 | Ubuntu | upstream | * |
| Linux-azure-5.13 | Ubuntu | esm-infra/focal | * |
| Linux-azure-5.13 | Ubuntu | focal | * |
| Linux-azure-5.13 | Ubuntu | upstream | * |
| Linux-azure-5.15 | Ubuntu | focal | * |
| Linux-azure-5.15 | Ubuntu | upstream | * |
| Linux-azure-5.19 | Ubuntu | jammy | * |
| Linux-azure-5.19 | Ubuntu | upstream | * |
| Linux-azure-5.3 | Ubuntu | bionic | * |
| Linux-azure-5.3 | Ubuntu | esm-infra/bionic | * |
| Linux-azure-5.3 | Ubuntu | upstream | * |
| Linux-azure-5.4 | Ubuntu | upstream | * |
| Linux-azure-5.8 | Ubuntu | esm-infra/focal | * |
| Linux-azure-5.8 | Ubuntu | focal | * |
| Linux-azure-5.8 | Ubuntu | upstream | * |
| Linux-azure-6.11 | Ubuntu | noble | * |
| Linux-azure-6.11 | Ubuntu | upstream | * |
| Linux-azure-6.14 | Ubuntu | upstream | * |
| Linux-azure-6.2 | Ubuntu | jammy | * |
| Linux-azure-6.2 | Ubuntu | upstream | * |
| Linux-azure-6.5 | Ubuntu | jammy | * |
| Linux-azure-6.5 | Ubuntu | upstream | * |
| Linux-azure-6.8 | Ubuntu | upstream | * |
| Linux-azure-edge | Ubuntu | bionic | * |
| Linux-azure-edge | Ubuntu | esm-infra/bionic | * |
| Linux-azure-edge | Ubuntu | upstream | * |
| Linux-azure-fde | Ubuntu | esm-infra/focal | * |
| Linux-azure-fde | Ubuntu | focal | * |
| Linux-azure-fde | Ubuntu | upstream | * |
| Linux-azure-fde-5.15 | Ubuntu | upstream | * |
| Linux-azure-fde-5.19 | Ubuntu | jammy | * |
| Linux-azure-fde-5.19 | Ubuntu | upstream | * |
| Linux-azure-fde-6.14 | Ubuntu | upstream | * |
| Linux-azure-fde-6.2 | Ubuntu | jammy | * |
| Linux-azure-fde-6.2 | Ubuntu | upstream | * |
| Linux-azure-fips | Ubuntu | fips-preview/jammy | * |
| Linux-azure-fips | Ubuntu | trusty | * |
| Linux-azure-fips | Ubuntu | upstream | * |
| Linux-azure-fips | Ubuntu | xenial | * |
| Linux-azure-nvidia | Ubuntu | upstream | * |
| Linux-azure-nvidia-6.14 | Ubuntu | upstream | * |
| Linux-bluefield | Ubuntu | bluefield/jammy | * |
| Linux-bluefield | Ubuntu | upstream | * |
| Linux-fips | Ubuntu | fips-preview/jammy | * |
| Linux-fips | Ubuntu | fips-updates/jammy | * |
| Linux-fips | Ubuntu | upstream | * |
| Linux-gcp | Ubuntu | bionic | * |
| Linux-gcp | Ubuntu | esm-infra/bionic | * |
| Linux-gcp | Ubuntu | jammy | * |
| Linux-gcp | Ubuntu | upstream | * |
| Linux-gcp-4.15 | Ubuntu | upstream | * |
| Linux-gcp-5.11 | Ubuntu | esm-infra/focal | * |
| Linux-gcp-5.11 | Ubuntu | focal | * |
| Linux-gcp-5.11 | Ubuntu | upstream | * |
| Linux-gcp-5.13 | Ubuntu | esm-infra/focal | * |
| Linux-gcp-5.13 | Ubuntu | focal | * |
| Linux-gcp-5.13 | Ubuntu | upstream | * |
| Linux-gcp-5.15 | Ubuntu | focal | * |
| Linux-gcp-5.15 | Ubuntu | upstream | * |
| Linux-gcp-5.19 | Ubuntu | jammy | * |
| Linux-gcp-5.19 | Ubuntu | upstream | * |
| Linux-gcp-5.3 | Ubuntu | bionic | * |
| Linux-gcp-5.3 | Ubuntu | esm-infra/bionic | * |
| Linux-gcp-5.3 | Ubuntu | upstream | * |
| Linux-gcp-5.4 | Ubuntu | upstream | * |
| Linux-gcp-5.8 | Ubuntu | esm-infra/focal | * |
| Linux-gcp-5.8 | Ubuntu | focal | * |
| Linux-gcp-5.8 | Ubuntu | upstream | * |
| Linux-gcp-6.11 | Ubuntu | noble | * |
| Linux-gcp-6.11 | Ubuntu | upstream | * |
| Linux-gcp-6.14 | Ubuntu | upstream | * |
| Linux-gcp-6.2 | Ubuntu | jammy | * |
| Linux-gcp-6.2 | Ubuntu | upstream | * |
| Linux-gcp-6.5 | Ubuntu | jammy | * |
| Linux-gcp-6.5 | Ubuntu | upstream | * |
| Linux-gcp-6.8 | Ubuntu | upstream | * |
| Linux-gcp-fips | Ubuntu | fips-preview/jammy | * |
| Linux-gcp-fips | Ubuntu | fips-updates/jammy | * |
| Linux-gcp-fips | Ubuntu | trusty | * |
| Linux-gcp-fips | Ubuntu | upstream | * |
| Linux-gcp-fips | Ubuntu | xenial | * |
| Linux-gke | Ubuntu | esm-infra/focal | * |
| Linux-gke | Ubuntu | focal | * |
| Linux-gke | Ubuntu | jammy | * |
| Linux-gke | Ubuntu | upstream | * |
| Linux-gke | Ubuntu | xenial | * |
| Linux-gke-4.15 | Ubuntu | bionic | * |
| Linux-gke-4.15 | Ubuntu | esm-infra/bionic | * |
| Linux-gke-4.15 | Ubuntu | upstream | * |
| Linux-gke-5.15 | Ubuntu | esm-infra/focal | * |
| Linux-gke-5.15 | Ubuntu | focal | * |
| Linux-gke-5.15 | Ubuntu | upstream | * |
| Linux-gke-5.4 | Ubuntu | bionic | * |
| Linux-gke-5.4 | Ubuntu | esm-infra/bionic | * |
| Linux-gke-5.4 | Ubuntu | upstream | * |
| Linux-gkeop | Ubuntu | esm-infra/focal | * |
| Linux-gkeop | Ubuntu | focal | * |
| Linux-gkeop | Ubuntu | jammy | * |
| Linux-gkeop | Ubuntu | upstream | * |
| Linux-gkeop-5.15 | Ubuntu | esm-infra/focal | * |
| Linux-gkeop-5.15 | Ubuntu | focal | * |
| Linux-gkeop-5.15 | Ubuntu | upstream | * |
| Linux-gkeop-5.4 | Ubuntu | bionic | * |
| Linux-gkeop-5.4 | Ubuntu | esm-infra/bionic | * |
| Linux-gkeop-5.4 | Ubuntu | upstream | * |
| Linux-hwe | Ubuntu | bionic | * |
| Linux-hwe | Ubuntu | esm-infra/bionic | * |
| Linux-hwe | Ubuntu | upstream | * |
| Linux-hwe-5.11 | Ubuntu | esm-infra/focal | * |
| Linux-hwe-5.11 | Ubuntu | focal | * |
| Linux-hwe-5.11 | Ubuntu | upstream | * |
| Linux-hwe-5.13 | Ubuntu | esm-infra/focal | * |
| Linux-hwe-5.13 | Ubuntu | focal | * |
| Linux-hwe-5.13 | Ubuntu | upstream | * |
| Linux-hwe-5.15 | Ubuntu | focal | * |
| Linux-hwe-5.15 | Ubuntu | upstream | * |
| Linux-hwe-5.19 | Ubuntu | jammy | * |
| Linux-hwe-5.19 | Ubuntu | upstream | * |
| Linux-hwe-5.4 | Ubuntu | upstream | * |
| Linux-hwe-5.8 | Ubuntu | esm-infra/focal | * |
| Linux-hwe-5.8 | Ubuntu | focal | * |
| Linux-hwe-5.8 | Ubuntu | upstream | * |
| Linux-hwe-6.11 | Ubuntu | noble | * |
| Linux-hwe-6.11 | Ubuntu | upstream | * |
| Linux-hwe-6.14 | Ubuntu | upstream | * |
| Linux-hwe-6.2 | Ubuntu | jammy | * |
| Linux-hwe-6.2 | Ubuntu | upstream | * |
| Linux-hwe-6.5 | Ubuntu | jammy | * |
| Linux-hwe-6.5 | Ubuntu | upstream | * |
| Linux-hwe-6.8 | Ubuntu | upstream | * |
| Linux-hwe-edge | Ubuntu | bionic | * |
| Linux-hwe-edge | Ubuntu | esm-infra/bionic | * |
| Linux-hwe-edge | Ubuntu | esm-infra/xenial | * |
| Linux-hwe-edge | Ubuntu | upstream | * |
| Linux-hwe-edge | Ubuntu | xenial | * |
| Linux-ibm | Ubuntu | jammy | * |
| Linux-ibm | Ubuntu | upstream | * |
| Linux-ibm-5.15 | Ubuntu | focal | * |
| Linux-ibm-5.15 | Ubuntu | upstream | * |
| Linux-ibm-5.4 | Ubuntu | upstream | * |
| Linux-ibm-6.8 | Ubuntu | upstream | * |
| Linux-intel | Ubuntu | noble | * |
| Linux-intel | Ubuntu | upstream | * |
| Linux-intel-5.13 | Ubuntu | esm-infra/focal | * |
| Linux-intel-5.13 | Ubuntu | focal | * |
| Linux-intel-5.13 | Ubuntu | upstream | * |
| Linux-intel-iot-realtime | Ubuntu | jammy | * |
| Linux-intel-iot-realtime | Ubuntu | realtime/jammy | * |
| Linux-intel-iot-realtime | Ubuntu | upstream | * |
| Linux-intel-iotg | Ubuntu | jammy | * |
| Linux-intel-iotg | Ubuntu | upstream | * |
| Linux-intel-iotg-5.15 | Ubuntu | focal | * |
| Linux-intel-iotg-5.15 | Ubuntu | upstream | * |
| Linux-iot | Ubuntu | upstream | * |
| Linux-kvm | Ubuntu | jammy | * |
| Linux-kvm | Ubuntu | upstream | * |
| Linux-lowlatency | Ubuntu | jammy | * |
| Linux-lowlatency | Ubuntu | upstream | * |
| Linux-lowlatency-hwe-5.15 | Ubuntu | focal | * |
| Linux-lowlatency-hwe-5.15 | Ubuntu | upstream | * |
| Linux-lowlatency-hwe-5.19 | Ubuntu | jammy | * |
| Linux-lowlatency-hwe-5.19 | Ubuntu | upstream | * |
| Linux-lowlatency-hwe-6.11 | Ubuntu | noble | * |
| Linux-lowlatency-hwe-6.11 | Ubuntu | upstream | * |
| Linux-lowlatency-hwe-6.2 | Ubuntu | jammy | * |
| Linux-lowlatency-hwe-6.2 | Ubuntu | upstream | * |
| Linux-lowlatency-hwe-6.5 | Ubuntu | jammy | * |
| Linux-lowlatency-hwe-6.5 | Ubuntu | upstream | * |
| Linux-lowlatency-hwe-6.8 | Ubuntu | upstream | * |
| Linux-lts-xenial | Ubuntu | upstream | * |
| Linux-nvidia | Ubuntu | jammy | * |
| Linux-nvidia | Ubuntu | upstream | * |
| Linux-nvidia-6.11 | Ubuntu | upstream | * |
| Linux-nvidia-6.2 | Ubuntu | jammy | * |
| Linux-nvidia-6.2 | Ubuntu | upstream | * |
| Linux-nvidia-6.5 | Ubuntu | jammy | * |
| Linux-nvidia-6.5 | Ubuntu | upstream | * |
| Linux-nvidia-6.8 | Ubuntu | upstream | * |
| Linux-nvidia-lowlatency | Ubuntu | upstream | * |
| Linux-nvidia-tegra | Ubuntu | jammy | * |
| Linux-nvidia-tegra | Ubuntu | upstream | * |
| Linux-nvidia-tegra-5.15 | Ubuntu | focal | * |
| Linux-nvidia-tegra-5.15 | Ubuntu | upstream | * |
| Linux-nvidia-tegra-igx | Ubuntu | jammy | * |
| Linux-nvidia-tegra-igx | Ubuntu | upstream | * |
| Linux-oem | Ubuntu | bionic | * |
| Linux-oem | Ubuntu | esm-infra/bionic | * |
| Linux-oem | Ubuntu | upstream | * |
| Linux-oem | Ubuntu | xenial | * |
| Linux-oem-5.10 | Ubuntu | esm-infra/focal | * |
| Linux-oem-5.10 | Ubuntu | focal | * |
| Linux-oem-5.10 | Ubuntu | upstream | * |
| Linux-oem-5.13 | Ubuntu | esm-infra/focal | * |
| Linux-oem-5.13 | Ubuntu | focal | * |
| Linux-oem-5.13 | Ubuntu | upstream | * |
| Linux-oem-5.14 | Ubuntu | esm-infra/focal | * |
| Linux-oem-5.14 | Ubuntu | focal | * |
| Linux-oem-5.14 | Ubuntu | upstream | * |
| Linux-oem-5.17 | Ubuntu | jammy | * |
| Linux-oem-5.17 | Ubuntu | upstream | * |
| Linux-oem-5.6 | Ubuntu | esm-infra/focal | * |
| Linux-oem-5.6 | Ubuntu | focal | * |
| Linux-oem-5.6 | Ubuntu | upstream | * |
| Linux-oem-6.0 | Ubuntu | jammy | * |
| Linux-oem-6.0 | Ubuntu | upstream | * |
| Linux-oem-6.1 | Ubuntu | jammy | * |
| Linux-oem-6.1 | Ubuntu | upstream | * |
| Linux-oem-6.11 | Ubuntu | noble | * |
| Linux-oem-6.11 | Ubuntu | upstream | * |
| Linux-oem-6.14 | Ubuntu | upstream | * |
| Linux-oem-6.5 | Ubuntu | jammy | * |
| Linux-oem-6.5 | Ubuntu | upstream | * |
| Linux-oem-6.8 | Ubuntu | noble | * |
| Linux-oem-6.8 | Ubuntu | upstream | * |
| Linux-oracle | Ubuntu | jammy | * |
| Linux-oracle | Ubuntu | upstream | * |
| Linux-oracle-5.0 | Ubuntu | bionic | * |
| Linux-oracle-5.0 | Ubuntu | esm-infra/bionic | * |
| Linux-oracle-5.0 | Ubuntu | upstream | * |
| Linux-oracle-5.11 | Ubuntu | esm-infra/focal | * |
| Linux-oracle-5.11 | Ubuntu | focal | * |
| Linux-oracle-5.11 | Ubuntu | upstream | * |
| Linux-oracle-5.13 | Ubuntu | esm-infra/focal | * |
| Linux-oracle-5.13 | Ubuntu | focal | * |
| Linux-oracle-5.13 | Ubuntu | upstream | * |
| Linux-oracle-5.15 | Ubuntu | focal | * |
| Linux-oracle-5.15 | Ubuntu | upstream | * |
| Linux-oracle-5.3 | Ubuntu | bionic | * |
| Linux-oracle-5.3 | Ubuntu | esm-infra/bionic | * |
| Linux-oracle-5.3 | Ubuntu | upstream | * |
| Linux-oracle-5.4 | Ubuntu | upstream | * |
| Linux-oracle-5.8 | Ubuntu | esm-infra/focal | * |
| Linux-oracle-5.8 | Ubuntu | focal | * |
| Linux-oracle-5.8 | Ubuntu | upstream | * |
| Linux-oracle-6.14 | Ubuntu | upstream | * |
| Linux-oracle-6.5 | Ubuntu | jammy | * |
| Linux-oracle-6.5 | Ubuntu | upstream | * |
| Linux-oracle-6.8 | Ubuntu | upstream | * |
| Linux-raspi | Ubuntu | jammy | * |
| Linux-raspi | Ubuntu | upstream | * |
| Linux-raspi-5.4 | Ubuntu | upstream | * |
| Linux-raspi-realtime | Ubuntu | noble | * |
| Linux-raspi-realtime | Ubuntu | upstream | * |
| Linux-raspi2 | Ubuntu | bionic | * |
| Linux-raspi2 | Ubuntu | esm-infra/focal | * |
| Linux-raspi2 | Ubuntu | focal | * |
| Linux-raspi2 | Ubuntu | upstream | * |
| Linux-raspi2 | Ubuntu | xenial | * |
| Linux-realtime | Ubuntu | jammy | * |
| Linux-realtime | Ubuntu | noble | * |
| Linux-realtime | Ubuntu | realtime/jammy | * |
| Linux-realtime | Ubuntu | upstream | * |
| Linux-realtime-6.14 | Ubuntu | upstream | * |
| Linux-realtime-6.8 | Ubuntu | upstream | * |
| Linux-riscv | Ubuntu | esm-infra/focal | * |
| Linux-riscv | Ubuntu | focal | * |
| Linux-riscv | Ubuntu | jammy | * |
| Linux-riscv | Ubuntu | noble | * |
| Linux-riscv | Ubuntu | upstream | * |
| Linux-riscv-5.11 | Ubuntu | esm-infra/focal | * |
| Linux-riscv-5.11 | Ubuntu | focal | * |
| Linux-riscv-5.11 | Ubuntu | upstream | * |
| Linux-riscv-5.15 | Ubuntu | focal | * |
| Linux-riscv-5.15 | Ubuntu | upstream | * |
| Linux-riscv-5.19 | Ubuntu | jammy | * |
| Linux-riscv-5.19 | Ubuntu | upstream | * |
| Linux-riscv-5.8 | Ubuntu | esm-infra/focal | * |
| Linux-riscv-5.8 | Ubuntu | focal | * |
| Linux-riscv-5.8 | Ubuntu | upstream | * |
| Linux-riscv-6.14 | Ubuntu | upstream | * |
| Linux-riscv-6.5 | Ubuntu | jammy | * |
| Linux-riscv-6.5 | Ubuntu | upstream | * |
| Linux-riscv-6.8 | Ubuntu | upstream | * |
| Linux-starfive-5.19 | Ubuntu | jammy | * |
| Linux-starfive-5.19 | Ubuntu | upstream | * |
| Linux-starfive-6.2 | Ubuntu | jammy | * |
| Linux-starfive-6.2 | Ubuntu | upstream | * |
| Linux-starfive-6.5 | Ubuntu | jammy | * |
| Linux-starfive-6.5 | Ubuntu | upstream | * |
| Linux-xilinx-zynqmp | Ubuntu | jammy | * |
| Linux-xilinx-zynqmp | Ubuntu | upstream | * |