{
  "threat_severity" : "Moderate",
  "public_date" : "2024-12-27T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: bpf, sockmap: Fix race between element replace and close()",
    "id" : "2334577",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2334577"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbpf, sockmap: Fix race between element replace and close()\nElement replace (with a socket different from the one stored) may race\nwith socket's close() link popping & unlinking. __sock_map_delete()\nunconditionally unrefs the (wrong) element:\n// set map[0] = s0\nmap_update_elem(map, 0, s0)\n// drop fd of s0\nclose(s0)\nsock_map_close()\nlock_sock(sk)               (s0!)\nsock_map_remove_links(sk)\nlink = sk_psock_link_pop()\nsock_map_unlink(sk, link)\nsock_map_delete_from_link\n// replace map[0] with s1\nmap_update_elem(map, 0, s1)\nsock_map_update_elem\n(s1!)       lock_sock(sk)\nsock_map_update_common\npsock = sk_psock(sk)\nspin_lock(&stab->lock)\nosk = stab->sks[idx]\nsock_map_add_link(..., &stab->sks[idx])\nsock_map_unref(osk, &stab->sks[idx])\npsock = sk_psock(osk)\nsk_psock_put(sk, psock)\nif (refcount_dec_and_test(&psock))\nsk_psock_drop(sk, psock)\nspin_unlock(&stab->lock)\nunlock_sock(sk)\n__sock_map_delete\nspin_lock(&stab->lock)\nsk = *psk                        // s1 replaced s0; sk == s1\nif (!sk_test || sk_test == sk)   // sk_test (s0) != sk (s1); no branch\nsk = xchg(psk, NULL)\nif (sk)\nsock_map_unref(sk, psk)        // unref s1; sks[idx] will dangle\npsock = sk_psock(sk)\nsk_psock_put(sk, psock)\nif (refcount_dec_and_test())\nsk_psock_drop(sk, psock)\nspin_unlock(&stab->lock)\nrelease_sock(sk)\nThen close(map) enqueues bpf_map_free_deferred, which finally calls\nsock_map_free(). This results in some refcount_t warnings along with\na KASAN splat [1].\nFix __sock_map_delete(), do not allow sock_map_unref() on elements that\nmay have been replaced.\n[1]:\nBUG: KASAN: slab-use-after-free in sock_map_free+0x10e/0x330\nWrite of size 4 at addr ffff88811f5b9100 by task kworker/u64:12/1063\nCPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Not tainted 6.12.0+ #125\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\nWorkqueue: events_unbound bpf_map_free_deferred\nCall Trace:\n<TASK>\ndump_stack_lvl+0x68/0x90\nprint_report+0x174/0x4f6\nkasan_report+0xb9/0x190\nkasan_check_range+0x10f/0x1e0\nsock_map_free+0x10e/0x330\nbpf_map_free_deferred+0x173/0x320\nprocess_one_work+0x846/0x1420\nworker_thread+0x5b3/0xf80\nkthread+0x29e/0x360\nret_from_fork+0x2d/0x70\nret_from_fork_asm+0x1a/0x30\n</TASK>\nAllocated by task 1202:\nkasan_save_stack+0x1e/0x40\nkasan_save_track+0x10/0x30\n__kasan_slab_alloc+0x85/0x90\nkmem_cache_alloc_noprof+0x131/0x450\nsk_prot_alloc+0x5b/0x220\nsk_alloc+0x2c/0x870\nunix_create1+0x88/0x8a0\nunix_create+0xc5/0x180\n__sock_create+0x241/0x650\n__sys_socketpair+0x1ce/0x420\n__x64_sys_socketpair+0x92/0x100\ndo_syscall_64+0x93/0x180\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nFreed by task 46:\nkasan_save_stack+0x1e/0x40\nkasan_save_track+0x10/0x30\nkasan_save_free_info+0x37/0x60\n__kasan_slab_free+0x4b/0x70\nkmem_cache_free+0x1a1/0x590\n__sk_destruct+0x388/0x5a0\nsk_psock_destroy+0x73e/0xa50\nprocess_one_work+0x846/0x1420\nworker_thread+0x5b3/0xf80\nkthread+0x29e/0x360\nret_from_fork+0x2d/0x70\nret_from_fork_asm+0x1a/0x30\nThe bu\n---truncated---" ],
  "statement" : "The bug happens for the bpf() system call and as result of complex race condition. For the Red Hat Enterprise Linux the BPF accessible only for admin user. The security impact is limited.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-56664\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-56664\nhttps://lore.kernel.org/linux-cve-announce/2024122752-CVE-2024-56664-9dc6@gregkh/T" ],
  "name" : "CVE-2024-56664",
  "csaw" : false
}