CVE-2024-40947

ima: Avoid blocking in RCU read-side critical section

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

ima: Avoid blocking in RCU read-side critical section

A panic happens in ima_match_policy:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
PGD 42f873067 P4D 0
Oops: 0000 [#1] SMP NOPTI
CPU: 5 PID: 1286325 Comm: kubeletmonit.sh
Kdump: loaded Tainted: P
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 0.0.0 02/06/2015
RIP: 0010:ima_match_policy+0x84/0x450
Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39
7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d
f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea
44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f
RSP: 0018:ff71570009e07a80 EFLAGS: 00010207
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200
RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739
R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970
R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001
FS: 00007f5195b51740(0000)
GS:ff3e278b12d40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ima_get_action+0x22/0x30
process_measurement+0xb0/0x830
? page_add_file_rmap+0x15/0x170
? alloc_set_pte+0x269/0x4c0
? prep_new_page+0x81/0x140
? simple_xattr_get+0x75/0xa0
? selinux_file_open+0x9d/0xf0
ima_file_check+0x64/0x90
path_openat+0x571/0x1720
do_filp_open+0x9b/0x110
? page_counter_try_charge+0x57/0xc0
? files_cgroup_alloc_fd+0x38/0x60
? __alloc_fd+0xd4/0x250
? do_sys_open+0x1bd/0x250
do_sys_open+0x1bd/0x250
do_syscall_64+0x5d/0x1d0
entry_SYSCALL_64_after_hwframe+0x65/0xca

Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a
RCU read-side critical section which contains kmalloc with GFP_KERNEL.
This implies a possible sleep and violates limitations of RCU read-side
critical sections on non-PREEMPT systems.

Sleeping within RCU read-side critical section might cause
synchronize_rcu() returning early and break RCU protection, allowing a
UAF to happen.

The root cause of this issue could be described as follows:
| Thread A | Thread B |
| |ima_match_policy |
| | rcu_read_lock |
|ima_lsm_update_rule | |
| synchronize_rcu | |
| | kmalloc(GFP_KERNEL)|
| | sleep |
==> synchronize_rcu returns early
| kfree(entry) | |
| | entry = entry->next|
==> UAF happens and entry now becomes NULL (or could be anything).
| | entry->action |
==> Accessing entry might cause panic.

To fix this issue, we are converting all kmalloc that is called within
RCU read-side critical section to use GFP_ATOMIC.

[PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case]

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ima: Evite el bloqueo en la sección crítica del lado de lectura de RCU Ocurre un pánico en ima_match_policy: ERROR: no se puede manejar la desreferencia del puntero NULL del kernel en 00000000000000010 PGD 42f873067 P4D 0 Ups: 0000 [#1 ] SMP NOPTI CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: cargado Contaminado: P Nombre del hardware: QEMU PC estándar (i440FX + PIIX, 1996), BIOS 0.0.0 06/02/2015 RIP: 0010:ima_match_policy+0x84 /0x450 Código: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f RSP: 0018:ff71570009e07a80 EFLAGS: 00010207 RAX: 0000000000000000 RBX: 0000000000 RCX: 0000000000000200 RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000 RBP: 0000000000000000 R08 : 0000000000000000 R09: ffffffffabfce739 R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970 R13: 00000000ff3e2785 R14: 000000000c R15: 0000000000000001 FS: 00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: : 0000000080050033 CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0 DR0: 0000000000000000 DR1: 00000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Seguimiento de llamadas: ima_get_action+0x22/0x30 Process_measurement+0xb0/0x830 ? page_add_file_rmap+0x15/0x170? alloc_set_pte+0x269/0x4c0? prep_new_page+0x81/0x140? simple_xattr_get+0x75/0xa0? selinux_file_open+0x9d/0xf0 ima_file_check+0x64/0x90 path_openat+0x571/0x1720 do_filp_open+0x9b/0x110 ? page_counter_try_charge+0x57/0xc0? files_cgroup_alloc_fd+0x38/0x60? __alloc_fd+0xd4/0x250? do_sys_open+0x1bd/0x250 do_sys_open+0x1bd/0x250 do_syscall_64+0x5d/0x1d0 Entry_SYSCALL_64_after_hwframe+0x65/0xca Commit c7423dbdbc9e ("ima: Handle -ESTALE devuelto por ima_filter_rule_match()") introdujo la llamada a ima_lsm _copy_rule dentro de una sección crítica del lado de lectura de RCU que contiene kmalloc con GFP_KERNEL. Esto implica una posible suspensión y viola las limitaciones de las secciones críticas del lado de lectura de RCU en sistemas que no son PREEMPT. Dormir dentro de la sección crítica del lado de lectura de la RCU puede provocar que sincronizar_rcu() regrese antes de tiempo y rompa la protección de la RCU, lo que permite que se produzca una UAF. La causa raíz de este problema podría describirse de la siguiente manera: | Hilo A | Hilo B | | |ima_match_policy | | | rcu_read_lock | |ima_lsm_update_rule | | | sincronizar_rcu | | | | kmalloc(GFP_KERNEL)| | | dormir | ==> sincronizar_rcu regresa temprano | kfree(entrada) | | | | entrada = entrada->siguiente| ==> Sucede UAF y la entrada ahora se vuelve NULL (o podría ser cualquier cosa). | | entrada->acción | ==> Acceder a la entrada puede causar pánico. Para solucionar este problema, estamos convirtiendo todos los kmalloc que se llaman dentro de la sección crítica del lado de lectura de RCU para usar GFP_ATOMIC. [PM: comentario faltante corregido, líneas largas, caso !CONFIG_IMA_LSM_RULES]

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-07-12 CVE Reserved
2024-07-12 CVE Published
2024-07-19 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (12)

URL	Tag	Source
https://git.kernel.org/stable/c/c4b035b1f036ddd53fbfced49046e586c5ad8a3e	Vuln. Introduced
https://git.kernel.org/stable/c/2d4bc60693c4206c64723e94ae5f7a04c0b8f18f	Vuln. Introduced
https://git.kernel.org/stable/c/8008f1691c15f353f5a53dc5d450b8262cb57421	Vuln. Introduced
https://git.kernel.org/stable/c/c7423dbdbc9ecef7fff5239d144cad4b9887f4de	Vuln. Introduced
https://git.kernel.org/stable/c/38d48fd224036717fcb3437e7af1314f6ebcd2d0	Vuln. Introduced
https://git.kernel.org/stable/c/69c60b2a2dbb4887739d3a13297cc0dae3793f35	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/a6176a802c4bfb83bf7524591aa75f44a639a853	2024-07-18
https://git.kernel.org/stable/c/a38e02265c681b51997a264aaf743095e2ee400a	2024-07-18
https://git.kernel.org/stable/c/9c3906c3738562b1fedc6f1cfc81756a7cfefff0	2024-07-11
https://git.kernel.org/stable/c/28d0ecc52f6c927d0e9ba70a4f2c1ea15453ee88	2024-07-11
https://git.kernel.org/stable/c/58275455893066149e9f4df2223ab2fdbdc59f9c	2024-06-27
https://git.kernel.org/stable/c/9a95c5bfbf02a0a7f5983280fe284a0ff0836c34	2024-06-13

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.163 < 5.10.222 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.163 < 5.10.222"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.86 < 5.15.163 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.86 < 5.15.163"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.2 < 6.1.98 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.2 < 6.1.98"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.2 < 6.6.39 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.2 < 6.6.39"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.2 < 6.9.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.2 < 6.9.7"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.2 < 6.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.2 < 6.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.4.229 Search vendor "Linux" for product "Linux Kernel" and version "5.4.229"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.0.16 Search vendor "Linux" for product "Linux Kernel" and version "6.0.16"		en		Affected