CVE-2024-58060

CVE-2024-58060 is a Use After Free vulnerability (CWE-416) in the Linux kernel's BPF subsystem, specifically within bpf_struct_ops registration. The issue arises when CONFIG_MODULES=n, causing the BTF ID for the "struct module" type to be missing, as indicated by the warning "resolve_btfids: unresolved symbol module." This affects struct_ops types that include a "struct module *owner" member, such as tcp_congestion_ops, leading to incorrect refcounting in bpf_try_module_get() and subsequent use-after-free conditions. Not all struct_ops are impacted, for example, sched_ext_ops lacks this member.

A local attacker with low privileges (AV:L/PR:L) can exploit this vulnerability with low attack complexity and no user interaction (AC:L/UI:N), achieving high impacts on confidentiality, integrity, and availability (CVSS:3.1 score of 7.8, S:U). Exploitation involves registering a BPF struct_ops program that triggers the faulty refcounting, potentially resulting in kernel memory corruption, arbitrary code execution, or denial of service.

Kernel patches mitigate the issue by rejecting BPF struct_ops registration if the type includes a "struct module *" member and the "struct module" BTF ID is missing. The fix incorporates the btf_type_is_fwd() helper into btf.h for testing and is available in stable kernel trees via commits such as 2324fb4e92092837ee278fdd8d60c48ee1a619ce, 96ea081ed52bf077cad6d00153b6fba68e510767, and b777b14c2a4a4e2322daf8e8ffd42d2b88831b17. The patch targets bpf-next, with a Fixes tag on a recent commit, noting the issue's age since bpf_struct_ops inception and rarity of CONFIG_MODULES=n configurations.