CVE-2023-54303

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Disable preemption in bpf_perf_event_output<br /> <br /> The nesting protection in bpf_perf_event_output relies on disabled<br /> preemption, which is guaranteed for kprobes and tracepoints.<br /> <br /> However bpf_perf_event_output can be also called from uprobes context<br /> through bpf_prog_run_array_sleepable function which disables migration,<br /> but keeps preemption enabled.<br /> <br /> This can cause task to be preempted by another one inside the nesting<br /> protection and lead eventually to two tasks using same perf_sample_data<br /> buffer and cause crashes like:<br /> <br /> kernel tried to execute NX-protected page - exploit attempt? (uid: 0)<br /> BUG: unable to handle page fault for address: ffffffff82be3eea<br /> ...<br /> Call Trace:<br /> ? __die+0x1f/0x70<br /> ? page_fault_oops+0x176/0x4d0<br /> ? exc_page_fault+0x132/0x230<br /> ? asm_exc_page_fault+0x22/0x30<br /> ? perf_output_sample+0x12b/0x910<br /> ? perf_event_output+0xd0/0x1d0<br /> ? bpf_perf_event_output+0x162/0x1d0<br /> ? bpf_prog_c6271286d9a4c938_krava1+0x76/0x87<br /> ? __uprobe_perf_func+0x12b/0x540<br /> ? uprobe_dispatcher+0x2c4/0x430<br /> ? uprobe_notify_resume+0x2da/0xce0<br /> ? atomic_notifier_call_chain+0x7b/0x110<br /> ? exit_to_user_mode_prepare+0x13e/0x290<br /> ? irqentry_exit_to_user_mode+0x5/0x30<br /> ? asm_exc_int3+0x35/0x40<br /> <br /> Fixing this by disabling preemption in bpf_perf_event_output.