CVE-2024-35955

kprobes: Fix possible use-after-free issue on kprobe registration

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

kprobes: Fix possible use-after-free issue on kprobe registration

When unloading a module, its state is changing MODULE_STATE_LIVE ->
MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take
a time. `is_module_text_address()` and `__module_text_address()`
works with MODULE_STATE_LIVE and MODULE_STATE_GOING.
If we use `is_module_text_address()` and `__module_text_address()`
separately, there is a chance that the first one is succeeded but the
next one is failed because module->state becomes MODULE_STATE_UNFORMED
between those operations.

In `check_kprobe_address_safe()`, if the second `__module_text_address()`
is failed, that is ignored because it expected a kernel_text address.
But it may have failed simply because module->state has been changed
to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify
non-exist module text address (use-after-free).

To fix this problem, we should not use separated `is_module_text_address()`
and `__module_text_address()`, but use only `__module_text_address()`
once and do `try_module_get(module)` which is only available with
MODULE_STATE_LIVE.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: kprobes: soluciona un posible problema de use after free en el registro de kprobe Al descargar un módulo, su estado cambia MODULE_STATE_LIVE -> MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Cada cambio llevará un tiempo. `is_module_text_address()` y `__module_text_address()` funcionan con MODULE_STATE_LIVE y MODULE_STATE_GOING. Si usamos `is_module_text_address()` y `__module_text_address()` por separado, existe la posibilidad de que el primero tenga éxito pero el siguiente falle porque module->state se convierte en MODULE_STATE_UNFORMED entre esas operaciones. En `check_kprobe_address_safe()`, si el segundo `__module_text_address()` falla, se ignora porque esperaba una dirección kernel_text. Pero es posible que haya fallado simplemente porque módulo->estado se cambió a MODULE_STATE_UNFORMED. En este caso, arm_kprobe() intentará modificar la dirección de texto del módulo que no existe (use after free). Para solucionar este problema, no debemos usar `is_module_text_address()` y `__module_text_address()` separados, sino usar solo `__module_text_address()` una vez y hacer `try_module_get(module)` que solo está disponible con MODULE_STATE_LIVE.

*Credits: N/A

CVSS Scores

CISAv3.1 8.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-05-17 CVE Reserved
2024-05-20 CVE Published
2024-05-21 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (18)

URL	Tag	Source
https://git.kernel.org/stable/c/1c836bad43f3e2ff71cc397a6e6ccb4e7bd116f8	Vuln. Introduced
https://git.kernel.org/stable/c/6a119c1a584aa7a2c6216458f1f272bf1bc93a93	Vuln. Introduced
https://git.kernel.org/stable/c/2a49b025c36ae749cee7ccc4b7e456e02539cdc3	Vuln. Introduced
https://git.kernel.org/stable/c/a1edb85e60fdab1e14db63ae8af8db3f0d798fb6	Vuln. Introduced
https://git.kernel.org/stable/c/28f6c37a2910f565b4f5960df52b2eccae28c891	Vuln. Introduced
https://git.kernel.org/stable/c/4262b6eb057d86c7829168c541654fe0d48fdac8	Vuln. Introduced
https://git.kernel.org/stable/c/97e813e6a143edf4208e15c72199c495ed80cea5	Vuln. Introduced
https://git.kernel.org/stable/c/16a544f1e013ba0660612f3fe35393b143b19a84	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33	2024-05-02
https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412	2024-05-02
https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d	2024-05-02
https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e	2024-04-27
https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808	2024-04-17
https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f	2024-04-17
https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0	2024-04-17
https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8	2024-04-10

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.19.256 < 4.19.313 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19.256 < 4.19.313"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.4.211 < 5.4.275 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.211 < 5.4.275"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.137 < 5.10.216 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.137 < 5.10.216"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.61 < 5.15.157 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.61 < 5.15.157"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.0 < 6.1.87 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.1.87"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.0 < 6.6.28 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.6.28"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.0 < 6.8.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.8.7"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.0 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.14.291 Search vendor "Linux" for product "Linux Kernel" and version "4.14.291"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.18.18 Search vendor "Linux" for product "Linux Kernel" and version "5.18.18"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.19.2 Search vendor "Linux" for product "Linux Kernel" and version "5.19.2"		en		Affected