// For flags

CVE-2024-35955

kprobes: Fix possible use-after-free issue on kprobe registration

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

kprobes: Fix possible use-after-free issue on kprobe registration

When unloading a module, its state is changing MODULE_STATE_LIVE ->
MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take
a time. `is_module_text_address()` and `__module_text_address()`
works with MODULE_STATE_LIVE and MODULE_STATE_GOING.
If we use `is_module_text_address()` and `__module_text_address()`
separately, there is a chance that the first one is succeeded but the
next one is failed because module->state becomes MODULE_STATE_UNFORMED
between those operations.

In `check_kprobe_address_safe()`, if the second `__module_text_address()`
is failed, that is ignored because it expected a kernel_text address.
But it may have failed simply because module->state has been changed
to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify
non-exist module text address (use-after-free).

To fix this problem, we should not use separated `is_module_text_address()`
and `__module_text_address()`, but use only `__module_text_address()`
once and do `try_module_get(module)` which is only available with
MODULE_STATE_LIVE.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: kprobes: soluciona un posible problema de use after free en el registro de kprobe Al descargar un módulo, su estado cambia MODULE_STATE_LIVE -> MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Cada cambio llevará un tiempo. `is_module_text_address()` y `__module_text_address()` funcionan con MODULE_STATE_LIVE y MODULE_STATE_GOING. Si usamos `is_module_text_address()` y `__module_text_address()` por separado, existe la posibilidad de que el primero tenga éxito pero el siguiente falle porque module->state se convierte en MODULE_STATE_UNFORMED entre esas operaciones. En `check_kprobe_address_safe()`, si el segundo `__module_text_address()` falla, se ignora porque esperaba una dirección kernel_text. Pero es posible que haya fallado simplemente porque módulo->estado se cambió a MODULE_STATE_UNFORMED. En este caso, arm_kprobe() intentará modificar la dirección de texto del módulo que no existe (use after free). Para solucionar este problema, no debemos usar `is_module_text_address()` y `__module_text_address()` separados, sino usar solo `__module_text_address()` una vez y hacer `try_module_get(module)` que solo está disponible con MODULE_STATE_LIVE.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-05-17 CVE Reserved
  • 2024-05-20 CVE Published
  • 2024-05-21 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-416: Use After Free
CAPEC
References (18)
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.19.256 < 4.19.313
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19.256 < 4.19.313"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.4.211 < 5.4.275
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.211 < 5.4.275"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.10.137 < 5.10.216
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.137 < 5.10.216"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.15.61 < 5.15.157
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.61 < 5.15.157"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 6.0 < 6.1.87
Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.1.87"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 6.0 < 6.6.28
Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.6.28"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 6.0 < 6.8.7
Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.8.7"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 6.0 < 6.9
Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.9"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
4.14.291
Search vendor "Linux" for product "Linux Kernel" and version "4.14.291"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
5.18.18
Search vendor "Linux" for product "Linux Kernel" and version "5.18.18"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
5.19.2
Search vendor "Linux" for product "Linux Kernel" and version "5.19.2"
en
Affected