CVE-2024-38588
ftrace: Fix possible use-after-free issue in ftrace_location()
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
ftrace: Fix possible use-after-free issue in ftrace_location()
KASAN reports a bug:
BUG: KASAN: use-after-free in ftrace_location+0x90/0x120
Read of size 8 at addr ffff888141d40010 by task insmod/424
CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+
[...]
Call Trace:
<TASK>
dump_stack_lvl+0x68/0xa0
print_report+0xcf/0x610
kasan_report+0xb5/0xe0
ftrace_location+0x90/0x120
register_kprobe+0x14b/0xa40
kprobe_init+0x2d/0xff0 [kprobe_example]
do_one_initcall+0x8f/0x2d0
do_init_module+0x13a/0x3c0
load_module+0x3082/0x33d0
init_module_from_file+0xd2/0x130
__x64_sys_finit_module+0x306/0x440
do_syscall_64+0x68/0x140
entry_SYSCALL_64_after_hwframe+0x71/0x79
The root cause is that, in lookup_rec(), ftrace record of some address
is being searched in ftrace pages of some module, but those ftrace pages
at the same time is being freed in ftrace_release_mod() as the
corresponding module is being deleted:
CPU1 | CPU2
register_kprobes() { | delete_module() {
check_kprobe_address_safe() { |
arch_check_ftrace_location() { |
ftrace_location() { |
lookup_rec() // USE! | ftrace_release_mod() // Free!
To fix this issue:
1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();
2. Use ftrace_location_range() instead of lookup_rec() in
ftrace_location();
3. Call synchronize_rcu() before freeing any ftrace pages both in
ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ftrace: Solucionar posible problema de use-after-free en ftrace_location() KASAN informa un error: ERROR: KASAN: use-after-free en ftrace_location+0x90/0x120 Lectura de tamaño 8 en addr ffff888141d40010 por tarea insmod/424 CPU: 8 PID: 424 Comm: insmod Tainted: GW 6.9.0-rc2+ [...] Rastreo de llamadas: dump_stack_lvl+0x68/0xa0 print_report+0xcf/0x610 kasan_report+0xb5/ 0xe0 ftrace_location+0x90/0x120 Register_kprobe+0x14b/0xa40 kprobe_init+0x2d/0xff0 [kprobe_example] do_one_initcall+0x8f/0x2d0 do_init_module+0x13a/0x3c0 load_module+0x3082/0x33d0 init_module_from _file+0xd2/0x130 __x64_sys_finit_module+0x306/0x440 do_syscall_64+0x68/0x140 entrada_SYSCALL_64_after_hwframe +0x71/0x79 La causa principal es que, en lookup_rec(), el registro ftrace de alguna dirección se busca en las páginas ftrace de algún módulo, pero esas páginas ftrace al mismo tiempo se liberan en ftrace_release_mod() como lo está el módulo correspondiente. siendo eliminado: CPU1 | CPU2 registro_kprobes() { | eliminar_módulo() { check_kprobe_address_safe() { | arch_check_ftrace_location() { | ftrace_ubicación() { | lookup_rec() // ¡UTILIZAR! | ftrace_release_mod() // ¡Gratis! Para solucionar este problema: 1. Mantenga presionado rcu lock mientras accede a las páginas de ftrace en ftrace_location_range(); 2. Utilice ftrace_location_range() en lugar de lookup_rec() en ftrace_location(); 3. Llame a sincronizar_rcu() antes de liberar cualquier página ftrace tanto en ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-06-18 CVE Reserved
- 2024-06-19 CVE Published
- 2024-09-20 EPSS Updated
- 2024-11-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-416: Use After Free
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/ae6aa16fdc163afe6b04b6c073ad4ddd4663c03b | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.7 < 5.4.286 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 5.4.286" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.7 < 5.10.227 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 5.10.227" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.7 < 5.15.162 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 5.15.162" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.7 < 6.1.93 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 6.1.93" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.7 < 6.6.33 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 6.6.33" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.7 < 6.8.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 6.8.12" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.7 < 6.9.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 6.9.3" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.7 < 6.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.7 < 6.10" | en |
Affected
| ||||||