{ "threat_severity" : "Moderate", "public_date" : "2025-10-07T00:00:00Z", "bugzilla" : { "description" : "kernel: bpf: Make bpf_refcount_acquire fallible for non-owning refs", "id" : "2402284", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2402284" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbpf: Make bpf_refcount_acquire fallible for non-owning refs\nThis patch fixes an incorrect assumption made in the original\nbpf_refcount series [0], specifically that the BPF program calling\nbpf_refcount_acquire on some node can always guarantee that the node is\nalive. In that series, the patch adding failure behavior to rbtree_add\nand list_push_{front, back} breaks this assumption for non-owning\nreferences.\nConsider the following program:\nn = bpf_kptr_xchg(&mapval, NULL);\n/* skip error checking */\nbpf_spin_lock(&l);\nif(bpf_rbtree_add(&t, &n->rb, less)) {\nbpf_refcount_acquire(n);\n/* Failed to add, do something else with the node */\n}\nbpf_spin_unlock(&l);\nIt's incorrect to assume that bpf_refcount_acquire will always succeed in this\nscenario. bpf_refcount_acquire is being called in a critical section\nhere, but the lock being held is associated with rbtree t, which isn't\nnecessarily the lock associated with the tree that the node is already\nin. So after bpf_rbtree_add fails to add the node and calls bpf_obj_drop\nin it, the program has no ownership of the node's lifetime. Therefore\nthe node's refcount can be decr'd to 0 at any time after the failing\nrbtree_add. If this happens before the refcount_acquire above, the node\nmight be free'd, and regardless refcount_acquire will be incrementing a\n0 refcount.\nLater patches in the series exercise this scenario, resulting in the\nexpected complaint from the kernel (without this patch's changes):\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 1 PID: 207 at lib/refcount.c:25 refcount_warn_saturate+0xbc/0x110\nModules linked in: bpf_testmod(O)\nCPU: 1 PID: 207 Comm: test_progs Tainted: G O 6.3.0-rc7-02231-g723de1a718a2-dirty #371\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xbc/0x110\nCode: 6f 64 f6 02 01 e8 84 a3 5c ff 0f 0b eb 9d 80 3d 5e 64 f6 02 00 75 94 48 c7 c7 e0 13 d2 82 c6 05 4e 64 f6 02 01 e8 64 a3 5c ff <0f> 0b e9 7a ff ff ff 80 3d 38 64 f6 02 00 0f 85 6d ff ff ff 48 c7\nRSP: 0018:ffff88810b9179b0 EFLAGS: 00010082\nRAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000\nRDX: 0000000000000202 RSI: 0000000000000008 RDI: ffffffff857c3680\nRBP: ffff88810027d3c0 R08: ffffffff8125f2a4 R09: ffff88810b9176e7\nR10: ffffed1021722edc R11: 746e756f63666572 R12: ffff88810027d388\nR13: ffff88810027d3c0 R14: ffffc900005fe030 R15: ffffc900005fe048\nFS: 00007fee0584a700(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005634a96f6c58 CR3: 0000000108ce9002 CR4: 0000000000770ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n\nbpf_refcount_acquire_impl+0xb5/0xc0\n(rest of output snipped)\nThe patch addresses this by changing bpf_refcount_acquire_impl to use\nrefcount_inc_not_zero instead of refcount_inc and marking\nbpf_refcount_acquire KF_RET_NULL.\nFor owning references, though, we know the above scenario is not possible\nand thus that bpf_refcount_acquire will always succeed. Some verifier\nbookkeeping is added to track \"is input owning ref?\" for bpf_refcount_acquire\ncalls and return false from is_kfunc_ret_null for bpf_refcount_acquire on\nowning refs despite it being marked KF_RET_NULL.\nExisting selftests using bpf_refcount_acquire are modified where\nnecessary to NULL-check its return value.\n[0]: https://lore.kernel.org/bpf/20230415201811.343116-1-davemarchevsky@fb.com/", "A memory-safety flaw was found in the Linux kernel extended Berkeley Packet Filter (eBPF) subsystem in the way reference counts are acquired for objects after a failed tree insertion. When a program attempts to acquire a reference to a node that may already have been released, the reference count operation can proceed on a zero count, leading to a use-after-free and a crash. A local user could use this flaw to crash the system, resulting in a denial of service." ], "statement" : "The change makes bpf_refcount_acquire return a nullable result and uses a “increment if not zero” primitive so that acquiring a reference on an object that may have been released fails safely. Verifier bookkeeping distinguishes owning from non-owning references so that callers with ownership still receive a guaranteed non-null result. This prevents reference count additions on an object whose lifetime ended after a failed container insertion.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53645\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53645\nhttps://lore.kernel.org/linux-cve-announce/2025100717-CVE-2023-53645-6c08@gregkh/T" ], "name" : "CVE-2023-53645", "mitigation" : { "value" : "To mitigate this issue, prevent module bpf from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.", "lang" : "en:us" }, "csaw" : false }