CVE-2024-26737: bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel

[Greg Kroah-Hartman <gregkh@linuxfoundation.org>]

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel

The following race is possible between bpf_timer_cancel_and_free
and bpf_timer_cancel. It will lead a UAF on the timer->timer.

bpf_timer_cancel();
	spin_lock();
	t = timer->time;
	spin_unlock();

					bpf_timer_cancel_and_free();
						spin_lock();
						t = timer->timer;
						timer->timer = NULL;
						spin_unlock();
						hrtimer_cancel(&t->timer);
						kfree(t);

	/* UAF on t */
	hrtimer_cancel(&t->timer);

In bpf_timer_cancel_and_free, this patch frees the timer->timer
after a rcu grace period. This requires a rcu_head addition
to the "struct bpf_hrtimer". Another kfree(t) happens in bpf_timer_init,
this does not need a kfree_rcu because it is still under the
spin_lock and timer->timer has not been visible by others yet.

In bpf_timer_cancel, rcu_read_lock() is added because this helper
can be used in a non rcu critical section context (e.g. from
a sleepable bpf prog). Other timer->timer usages in helpers.c
have been audited, bpf_timer_cancel() is the only place where
timer->timer is used outside of the spin_lock.

Another solution considered is to mark a t->flag in bpf_timer_cancel
and clear it after hrtimer_cancel() is done.  In bpf_timer_cancel_and_free,
it busy waits for the flag to be cleared before kfree(t). This patch
goes with a straight forward solution and frees timer->timer after
a rcu grace period.

The Linux kernel CVE team has assigned CVE-2024-26737 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.15 with commit b00628b1c7d5 and fixed in 5.15.150 with commit 5268bb02107b
	Issue introduced in 5.15 with commit b00628b1c7d5 and fixed in 6.1.80 with commit addf5e297e6c
	Issue introduced in 5.15 with commit b00628b1c7d5 and fixed in 6.6.19 with commit 8327ed12e8eb
	Issue introduced in 5.15 with commit b00628b1c7d5 and fixed in 6.7.7 with commit 7d80a9e745fa
	Issue introduced in 5.15 with commit b00628b1c7d5 and fixed in 6.8 with commit 0281b919e175

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26737
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	kernel/bpf/helpers.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c
	https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5
	https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6
	https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33
	https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f