CVE-2024-58070: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT In PREEMPT_RT, kmalloc(GFP_ATOMIC) is still not safe in non preemptible context. bpf_mem_alloc must be used in PREEMPT_RT. This patch is to enforce bpf_mem_alloc in the bpf_local_storage when CONFIG_PREEMPT_RT is enabled. [ 35.118559] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 [ 35.118566] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1832, name: test_progs [ 35.118569] preempt_count: 1, expected: 0 [ 35.118571] RCU nest depth: 1, expected: 1 [ 35.118577] INFO: lockdep is turned off. ... [ 35.118647] __might_resched+0x433/0x5b0 [ 35.118677] rt_spin_lock+0xc3/0x290 [ 35.118700] ___slab_alloc+0x72/0xc40 [ 35.118723] __kmalloc_noprof+0x13f/0x4e0 [ 35.118732] bpf_map_kzalloc+0xe5/0x220 [ 35.118740] bpf_selem_alloc+0x1d2/0x7b0 [ 35.118755] bpf_local_storage_update+0x2fa/0x8b0 [ 35.118784] bpf_sk_storage_get_tracing+0x15a/0x1d0 [ 35.118791] bpf_prog_9a118d86fca78ebb_trace_inet_sock_set_state+0x44/0x66 [ 35.118795] bpf_trace_run3+0x222/0x400 [ 35.118820] __bpf_trace_inet_sock_set_state+0x11/0x20 [ 35.118824] trace_inet_sock_set_state+0x112/0x130 [ 35.118830] inet_sk_state_store+0x41/0x90 [ 35.118836] tcp_set_state+0x3b3/0x640 There is no need to adjust the gfp_flags passing to the bpf_mem_cache_alloc_flags() which only honors the GFP_KERNEL. The verifier has ensured GFP_KERNEL is passed only in sleepable context. It has been an old issue since the first introduction of the bpf_local_storage ~5 years ago, so this patch targets the bpf-next. bpf_mem_alloc is needed to solve it, so the Fixes tag is set to the commit when bpf_mem_alloc was first used in the bpf_local_storage.
AI Analysis
Technical Summary
CVE-2024-58070 is a vulnerability in the Linux kernel specifically related to the eBPF (extended Berkeley Packet Filter) subsystem's local storage implementation when running under the PREEMPT_RT (Real-Time) patch set. The issue arises because the kernel code incorrectly uses kmalloc with GFP_ATOMIC flags in contexts that are not safe for such atomic allocations in PREEMPT_RT environments. PREEMPT_RT modifies the Linux kernel to be fully preemptible, which changes the behavior and constraints around memory allocation and locking. The vulnerability is due to the use of kmalloc(GFP_ATOMIC) in non-preemptible contexts, which can lead to invalid sleeping function calls from atomic contexts, causing kernel bugs or crashes. The fix involves enforcing the use of bpf_mem_alloc instead of kmalloc in the bpf_local_storage code path when CONFIG_PREEMPT_RT is enabled. This ensures that memory allocation honors the constraints of the real-time kernel environment and prevents invalid context sleeps. The vulnerability has existed since the introduction of bpf_local_storage approximately five years ago, but this patch targets the bpf-next branch to correct the behavior going forward. The kernel logs included show a BUG triggered by a sleeping function called from an invalid context, with stack traces pointing to bpf_local_storage_update and related functions. The verifier ensures GFP_KERNEL flags are only passed in sleepable contexts, so the patch does not adjust gfp_flags but enforces the correct allocator usage. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability could lead to kernel crashes or instability on systems running Linux kernels with PREEMPT_RT enabled and using eBPF local storage features. PREEMPT_RT is commonly used in environments requiring real-time performance and low latency, such as industrial control systems, telecommunications infrastructure, automotive systems, and embedded devices. Organizations relying on such systems might experience denial of service conditions or system instability if this vulnerability is triggered, potentially disrupting critical operations. While no direct remote exploit is known, the vulnerability could be triggered by local users or processes with the ability to load or interact with eBPF programs, which are increasingly used for networking, monitoring, and security purposes. The impact on confidentiality and integrity is limited, as the vulnerability primarily causes kernel crashes rather than privilege escalation or data leakage. However, availability impact is significant in real-time or critical infrastructure contexts. European organizations in sectors like manufacturing, automotive, telecom, and critical infrastructure that deploy PREEMPT_RT patched Linux kernels should be particularly mindful of this issue.
Mitigation Recommendations
1. Apply the official Linux kernel patch that enforces the use of bpf_mem_alloc in bpf_local_storage when CONFIG_PREEMPT_RT is enabled. This patch is available in the bpf-next branch and should be backported to stable kernels where PREEMPT_RT is used. 2. Update Linux kernels to versions that include this fix as soon as they are released by the distribution or vendor. 3. Audit and restrict the ability to load or run eBPF programs to trusted users and processes only, minimizing the attack surface. 4. Monitor kernel logs for BUG messages related to sleeping functions called from invalid contexts, which may indicate attempts to trigger this vulnerability. 5. For systems where PREEMPT_RT is not required, consider disabling it if feasible to reduce exposure. 6. Engage with Linux distribution vendors and real-time kernel maintainers to ensure timely patching and backporting of this fix. 7. In environments where real-time performance is critical, perform thorough testing of updated kernels to ensure stability and compatibility post-patch.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-58070: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT In PREEMPT_RT, kmalloc(GFP_ATOMIC) is still not safe in non preemptible context. bpf_mem_alloc must be used in PREEMPT_RT. This patch is to enforce bpf_mem_alloc in the bpf_local_storage when CONFIG_PREEMPT_RT is enabled. [ 35.118559] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 [ 35.118566] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1832, name: test_progs [ 35.118569] preempt_count: 1, expected: 0 [ 35.118571] RCU nest depth: 1, expected: 1 [ 35.118577] INFO: lockdep is turned off. ... [ 35.118647] __might_resched+0x433/0x5b0 [ 35.118677] rt_spin_lock+0xc3/0x290 [ 35.118700] ___slab_alloc+0x72/0xc40 [ 35.118723] __kmalloc_noprof+0x13f/0x4e0 [ 35.118732] bpf_map_kzalloc+0xe5/0x220 [ 35.118740] bpf_selem_alloc+0x1d2/0x7b0 [ 35.118755] bpf_local_storage_update+0x2fa/0x8b0 [ 35.118784] bpf_sk_storage_get_tracing+0x15a/0x1d0 [ 35.118791] bpf_prog_9a118d86fca78ebb_trace_inet_sock_set_state+0x44/0x66 [ 35.118795] bpf_trace_run3+0x222/0x400 [ 35.118820] __bpf_trace_inet_sock_set_state+0x11/0x20 [ 35.118824] trace_inet_sock_set_state+0x112/0x130 [ 35.118830] inet_sk_state_store+0x41/0x90 [ 35.118836] tcp_set_state+0x3b3/0x640 There is no need to adjust the gfp_flags passing to the bpf_mem_cache_alloc_flags() which only honors the GFP_KERNEL. The verifier has ensured GFP_KERNEL is passed only in sleepable context. It has been an old issue since the first introduction of the bpf_local_storage ~5 years ago, so this patch targets the bpf-next. bpf_mem_alloc is needed to solve it, so the Fixes tag is set to the commit when bpf_mem_alloc was first used in the bpf_local_storage.
AI-Powered Analysis
Technical Analysis
CVE-2024-58070 is a vulnerability in the Linux kernel specifically related to the eBPF (extended Berkeley Packet Filter) subsystem's local storage implementation when running under the PREEMPT_RT (Real-Time) patch set. The issue arises because the kernel code incorrectly uses kmalloc with GFP_ATOMIC flags in contexts that are not safe for such atomic allocations in PREEMPT_RT environments. PREEMPT_RT modifies the Linux kernel to be fully preemptible, which changes the behavior and constraints around memory allocation and locking. The vulnerability is due to the use of kmalloc(GFP_ATOMIC) in non-preemptible contexts, which can lead to invalid sleeping function calls from atomic contexts, causing kernel bugs or crashes. The fix involves enforcing the use of bpf_mem_alloc instead of kmalloc in the bpf_local_storage code path when CONFIG_PREEMPT_RT is enabled. This ensures that memory allocation honors the constraints of the real-time kernel environment and prevents invalid context sleeps. The vulnerability has existed since the introduction of bpf_local_storage approximately five years ago, but this patch targets the bpf-next branch to correct the behavior going forward. The kernel logs included show a BUG triggered by a sleeping function called from an invalid context, with stack traces pointing to bpf_local_storage_update and related functions. The verifier ensures GFP_KERNEL flags are only passed in sleepable contexts, so the patch does not adjust gfp_flags but enforces the correct allocator usage. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability could lead to kernel crashes or instability on systems running Linux kernels with PREEMPT_RT enabled and using eBPF local storage features. PREEMPT_RT is commonly used in environments requiring real-time performance and low latency, such as industrial control systems, telecommunications infrastructure, automotive systems, and embedded devices. Organizations relying on such systems might experience denial of service conditions or system instability if this vulnerability is triggered, potentially disrupting critical operations. While no direct remote exploit is known, the vulnerability could be triggered by local users or processes with the ability to load or interact with eBPF programs, which are increasingly used for networking, monitoring, and security purposes. The impact on confidentiality and integrity is limited, as the vulnerability primarily causes kernel crashes rather than privilege escalation or data leakage. However, availability impact is significant in real-time or critical infrastructure contexts. European organizations in sectors like manufacturing, automotive, telecom, and critical infrastructure that deploy PREEMPT_RT patched Linux kernels should be particularly mindful of this issue.
Mitigation Recommendations
1. Apply the official Linux kernel patch that enforces the use of bpf_mem_alloc in bpf_local_storage when CONFIG_PREEMPT_RT is enabled. This patch is available in the bpf-next branch and should be backported to stable kernels where PREEMPT_RT is used. 2. Update Linux kernels to versions that include this fix as soon as they are released by the distribution or vendor. 3. Audit and restrict the ability to load or run eBPF programs to trusted users and processes only, minimizing the attack surface. 4. Monitor kernel logs for BUG messages related to sleeping functions called from invalid contexts, which may indicate attempts to trigger this vulnerability. 5. For systems where PREEMPT_RT is not required, consider disabling it if feasible to reduce exposure. 6. Engage with Linux distribution vendors and real-time kernel maintainers to ensure timely patching and backporting of this fix. 7. In environments where real-time performance is critical, perform thorough testing of updated kernels to ensure stability and compatibility post-patch.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-03-06T15:52:09.182Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde2b8
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 5:55:19 AM
Last updated: 7/26/2025, 6:40:58 PM
Views: 10
Related Threats
CVE-2025-8310: CWE-862 Missing Authorization in Ivanti Virtual Application Delivery ControllerCWE-862
MediumCVE-2025-8297: CWE-434 Unrestricted Upload of File with Dangerous Type in Ivanti Avalanche
HighCVE-2025-8296: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Ivanti Avalanche
HighCVE-2025-22834: CWE-665 Improper Initialization in AMI AptioV
MediumCVE-2025-22830: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in AMI AptioV
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.