NACK/Cmt: [SRU][F][PATCH 0/1] CVE-2024-38662
Massimiliano Pellizzer
massimiliano.pellizzer at canonical.com
Wed Nov 27 09:05:38 UTC 2024
On Tue, 26 Nov 2024 at 21:27, Magali Lemes <magali.lemes at canonical.com> wrote:
>
> On 14/11/2024 18:38, Massimiliano Pellizzer wrote:
> > [Impact]
> >
> > bpf: Allow delete from sockmap/sockhash only if update is allowed
> >
> > From now on only BPF programs which were previously allowed to update
> > sockmap/sockhash can delete from these map types.
> >
>
> And since f:linux doesn't allow updating sockmap and sockhash map types
> yet, that means no program at all will be able to delete either, right?
>
Yes, that's right.
Now that I am thinking about it again I don't feel it's the right way
to backport the fix anymore.
The original patch still allows deletion from these maps, it only
enforces stricter checks
on programs that want to delete. By applying this patch we are
completely removing the deletion feature.
I will send a v2 including also 0126240f448d5bba29d0d1593aa527d3bf67b916.
> > [Fix]
> >
> > Noble: Fixed via stable updates (f8457aa6c401bf)
> > Jammy: Fixed via stable updates (4aaeb3bf863dc1c)
> > Focal: Backported from mainline
> > Bionic: Not affected
> > Xenial: Not affected
> >
> > [Test Case]
> >
> > Compile tested only.
> >
> > [Where problems could occur]
> >
> > The fix affects the BPF subsystem and in particular sockmap and sockhash
> > structures. Users may see kernel warnings or experience system
> > instability while performing socket operations when utilizing BPF-based
> > socket management.
> >
> > Jakub Sitnicki (1):
> > bpf: Allow delete from sockmap/sockhash only if update is allowed
> >
> > kernel/bpf/verifier.c | 2 --
> > 1 file changed, 2 deletions(-)
> >
>
> Acked-by: Magali Lemes <magali.lemes at canonical.com>
--
Massimiliano Pellizzer
More information about the kernel-team
mailing list