CVE-2022-49236
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix UAF due to race between btf_try_get_module and load_module While working on code to populate kfunc BTF ID sets for module BTF from its initcall, I noticed that by the time the initcall is invoked, the module BTF can already be seen by userspace (and the BPF verifier). The existing btf_try_get_module calls try_module_get which only fails if mod->state == MODULE_STATE_GOING, i.e. it can increment module reference when module initcall is happening in parallel. Currently, BTF parsing happens from MODULE_STATE_COMING notifier callback. At this point, the module initcalls have not been invoked. The notifier callback parses and prepares the module BTF, allocates an ID, which publishes it to userspace, and then adds it to the btf_modules list allowing the kernel to invoke btf_try_get_module for the BTF. However, at this point, the module has not been fully initialized (i.e. its initcalls have not finished). The code in module.c can still fail and free the module, without caring for other users. However, nothing stops btf_try_get_module from succeeding between the state transition from MODULE_STATE_COMING to MODULE_STATE_LIVE. This leads to a use-after-free issue when BPF program loads successfully in the state transition, load_module's do_init_module call fails and frees the module, and BPF program fd on close calls module_put for the freed module. Future patch has test case to verify we don't regress in this area in future. There are multiple points after prepare_coming_module (in load_module) where failure can occur and module loading can return error. We illustrate and test for the race using the last point where it can practically occur (in module __init function). An illustration of the race: CPU 0 CPU 1 load_module notifier_call(MODULE_STATE_COMING) btf_parse_module btf_alloc_id // Published to userspace list_add(&btf_mod->list, btf_modules) mod->init(...) ... ^ bpf_check | check_pseudo_btf_id | btf_try_get_module | returns true | ... ... | module __init in progress return prog_fd | ... ... V if (ret < 0) free_module(mod) ... close(prog_fd) ... bpf_prog_free_deferred module_put(used_btf.mod) // use-after-free We fix this issue by setting a flag BTF_MODULE_F_LIVE, from the notifier callback when MODULE_STATE_LIVE state is reached for the module, so that we return NULL from btf_try_get_module for modules that are not fully formed. Since try_module_get already checks that module is not in MODULE_STATE_GOING state, and that is the only transition a live module can make before being removed from btf_modules list, this is enough to close the race and prevent the bug. A later selftest patch crafts the race condition artifically to verify that it has been fixed, and that verifier fails to load program (with ENXIO). Lastly, a couple of comments: 1. Even if this race didn't exist, it seems more appropriate to only access resources (ksyms and kfuncs) of a fully formed module which has been initialized completely. 2. This patch was born out of need for synchronization against module initcall for the next patch, so it is needed for correctness even without the aforementioned race condition. The BTF resources initialized by module initcall are set up once and then only looked up, so just waiting until the initcall has finished ensures correct behavior.
Security Summary
CVE-2022-49236 is a use-after-free (UAF) vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) subsystem, specifically arising from a race condition between the btf_try_get_module function and the load_module process during kernel module initialization. The issue occurs when BTF (BPF Type Format) parsing for a module happens in a MODULE_STATE_COMING notifier callback, publishing the module's BTF ID to userspace and adding it to the btf_modules list before the module's initcalls complete. If a BPF program loads and successfully calls btf_try_get_module during this window—incrementing a module reference—and the module initialization then fails, the module is freed, leading to a UAF when the BPF program file descriptor is closed and module_put is invoked on the freed memory. The vulnerability is rated CVSS 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-416.
A local attacker with low privileges (PR:L) can exploit this during the narrow race window by loading a BPF program that references the module's BTF ID after it is published but before the module reaches MODULE_STATE_LIVE. If the module's do_init_module call fails post-BPF load—such as in the module's __init function—the kernel frees the module without accounting for the BPF-held reference. Closing the BPF program file descriptor then triggers module_put on freed memory, potentially allowing arbitrary code execution, data corruption, or denial of service due to the high confidentiality, integrity, and availability impacts.
The provided patch references from kernel stable repositories detail the mitigation: a new BTF_MODULE_F_LIVE flag is set in the notifier callback only upon reaching MODULE_STATE_LIVE for the module, causing btf_try_get_module to return NULL for incompletely initialized modules and preventing the reference from being acquired during the race. Combined with existing try_module_get checks against MODULE_STATE_GOING, this closes the window. Selftests verify the fix by artificially reproducing the race, ensuring BPF program loads fail with ENXIO. Users should apply the relevant stable kernel updates containing commits like 0481baa2318c, 18688de203b4, 51b82141fffa, and d7fccf264b1a.
Details
- CWE(s)