CVE-2024-58060 in Linuxinfo

Summary

by MITRE • 03/06/2025

In the Linux kernel, the following vulnerability has been resolved:

bpf: Reject struct_ops registration that uses module ptr and the module btf_id is missing

There is a UAF report in the bpf_struct_ops when CONFIG_MODULES=n. In particular, the report is on tcp_congestion_ops that has a "struct module *owner" member.

For struct_ops that has a "struct module *owner" member, it can be extended either by the regular kernel module or by the bpf_struct_ops. bpf_try_module_get() will be used to do the refcounting and different refcount is done based on the owner pointer. When CONFIG_MODULES=n, the btf_id of the "struct module" is missing:

WARN: resolve_btfids: unresolved symbol module

Thus, the bpf_try_module_get() cannot do the correct refcounting.

Not all subsystem's struct_ops requires the "struct module *owner" member. e.g. the recent sched_ext_ops.

This patch is to disable bpf_struct_ops registration if the struct_ops has the "struct module *" member and the "struct module" btf_id is missing. The btf_type_is_fwd() helper is moved to the btf.h header file for this test.

This has happened since the beginning of bpf_struct_ops which has gone through many changes. The Fixes tag is set to a recent commit that this patch can apply cleanly. Considering CONFIG_MODULES=n is not common and the age of the issue, targeting for bpf-next also.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 02/16/2026

The vulnerability described in CVE-2024-58060 affects the Linux kernel's BPF (Berkeley Packet Filter) subsystem, specifically within the struct_ops framework that enables BPF programs to interact with kernel data structures. This issue arises when the kernel is compiled with CONFIG_MODULES=n, meaning that kernel modules are not supported. The vulnerability stems from a fundamental mismatch in how BPF programs handle module ownership references when attempting to register struct_ops with module pointers.

The technical flaw manifests when BPF programs try to register struct_ops that contain a "struct module *owner" member while operating in a kernel configuration without module support. The kernel's BPF subsystem uses a function called bpf_try_module_get() to manage reference counting for these module ownership relationships. However, when CONFIG_MODULES=n is set, the BTF (Binary Type Format) information for the "struct module" type becomes unavailable, causing the system to generate a warning about unresolved symbols. This missing BTF information prevents bpf_try_module_get() from performing proper reference counting operations, leading to potential use-after-free conditions.

The operational impact of this vulnerability is significant within environments where kernel modules are disabled, which while not common in typical production systems, represents a critical security risk in specialized embedded or hardened systems. The issue affects the tcp_congestion_ops subsystem specifically, where the struct_ops framework attempts to reference module ownership information that simply does not exist in the compiled kernel. This creates a scenario where BPF programs could potentially access freed memory or corrupt kernel data structures, leading to system instability or potential privilege escalation.

The patch addressing this vulnerability implements a preventive measure by disabling BPF struct_ops registration when a struct_ops contains a "struct module *owner" member but lacks the corresponding BTF ID for the struct module type. This approach aligns with the principle of least privilege and defensive programming practices. The solution involves moving the btf_type_is_fwd() helper function to the btf.h header file to enable proper type checking during the registration process. This fix represents a targeted approach to prevent the problematic registration from occurring in the first place, rather than attempting to work around the missing type information after registration.

This vulnerability demonstrates the complexity of kernel security when dealing with conditional compilation features and the interaction between different subsystems. The issue has existed since the initial implementation of bpf_struct_ops, indicating a long-standing design oversight in handling kernel configurations without module support. From a cybersecurity perspective, this vulnerability aligns with CWE-416 (Use After Free) and CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) categories, as it involves improper handling of memory references and resource management. The ATT&CK framework would classify this under T1068 (Exploitation for Privilege Escalation) and T1499 (Endpoint Denial of Service) as potential attack vectors. The patch demonstrates proper defensive programming by failing gracefully when encountering unsupported configurations rather than attempting to operate in an undefined state.

Responsible

Linux

Reservation

03/06/2025

Disclosure

03/06/2025

Moderation

accepted

CPE

ready

EPSS

0.00193

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!