CVE-2024-58060

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Reject struct_ops registration that uses module ptr and the module btf_id is missing<br /> <br /> There is a UAF report in the bpf_struct_ops when CONFIG_MODULES=n.<br /> In particular, the report is on tcp_congestion_ops that has<br /> a "struct module *owner" member.<br /> <br /> For struct_ops that has a "struct module *owner" member,<br /> it can be extended either by the regular kernel module or<br /> by the bpf_struct_ops. bpf_try_module_get() will be used<br /> to do the refcounting and different refcount is done<br /> based on the owner pointer. When CONFIG_MODULES=n,<br /> the btf_id of the "struct module" is missing:<br /> <br /> WARN: resolve_btfids: unresolved symbol module<br /> <br /> Thus, the bpf_try_module_get() cannot do the correct refcounting.<br /> <br /> Not all subsystem&amp;#39;s struct_ops requires the "struct module *owner" member.<br /> e.g. the recent sched_ext_ops.<br /> <br /> This patch is to disable bpf_struct_ops registration if<br /> the struct_ops has the "struct module *" member and the<br /> "struct module" btf_id is missing. The btf_type_is_fwd() helper<br /> is moved to the btf.h header file for this test.<br /> <br /> This has happened since the beginning of bpf_struct_ops which has gone<br /> through many changes. The Fixes tag is set to a recent commit that this<br /> patch can apply cleanly. Considering CONFIG_MODULES=n is not<br /> common and the age of the issue, targeting for bpf-next also.