In the Linux kernel, the following vulnerability has been resolved:
ftrace: Fix possible use-after-free issue in ftrace_location()
KASAN reports a bug:
BUG: KASAN: use-after-free in ftrace_location+0x90/0x120
Read of size 8 at addr ffff888141d40010 by task insmod/424
CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+
[...]
Call Trace:
<TASK>
dump_stack_lvl+0x68/0xa0
print_report+0xcf/0x610
kasan_report+0xb5/0xe0
ftrace_location+0x90/0x120
register_kprobe+0x14b/0xa40
kprobe_init+0x2d/0xff0 [kprobe_example]
do_one_initcall+0x8f/0x2d0
do_init_module+0x13a/0x3c0
load_module+0x3082/0x33d0
init_module_from_file+0xd2/0x130
__x64_sys_finit_module+0x306/0x440
do_syscall_64+0x68/0x140
entry_SYSCALL_64_after_hwframe+0x71/0x79
The root cause is that, in lookup_rec(), ftrace record of some address
is being searched in ftrace pages of some module, but those ftrace pages
at the same time is being freed in ftrace_release_mod() as the
corresponding module is being deleted:
CPU1 | CPU2
register_kprobes() { | delete_module() {
check_kprobe_address_safe() { |
arch_check_ftrace_location() { |
ftrace_location() { |
lookup_rec() // USE! | ftrace_release_mod() // Free!
To fix this issue:
1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();
2. Use ftrace_location_range() instead of lookup_rec() in
ftrace_location();
3. Call synchronize_rcu() before freeing any ftrace pages both in
ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().
References
Configurations
Configuration 1 (hide)
|
History
17 Oct 2024, 14:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
19 Sep 2024, 13:19
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
CPE | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | |
First Time |
Linux
Linux linux Kernel |
|
CWE | CWE-416 | |
References | () https://git.kernel.org/stable/c/31310e373f4c8c74e029d4326b283e757edabc0b - Patch | |
References | () https://git.kernel.org/stable/c/66df065b3106964e667b37bf8f7e55ec69d0c1f6 - Patch | |
References | () https://git.kernel.org/stable/c/7b4881da5b19f65709f5c18c1a4d8caa2e496461 - Patch | |
References | () https://git.kernel.org/stable/c/8ea8ef5e42173560ac510e92a1cc797ffeea8831 - Patch | |
References | () https://git.kernel.org/stable/c/dbff5f0bfb2416b8b55c105ddbcd4f885e98fada - Patch | |
References | () https://git.kernel.org/stable/c/e60b613df8b6253def41215402f72986fee3fc8d - Patch |
05 Jul 2024, 08:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Jun 2024, 12:44
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
19 Jun 2024, 14:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-19 14:15
Updated : 2024-10-31 08:35
NVD link : CVE-2024-38588
Mitre link : CVE-2024-38588
CVE.ORG link : CVE-2024-38588
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-416
Use After Free