| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024052018-CVE-2024-35955-2555@gregkh> Date: Mon, 20 May 2024 11:42:20 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-35955: kprobes: Fix possible use-after-free issue on kprobe registration Description =========== In the Linux kernel, the following vulnerability has been resolved: kprobes: Fix possible use-after-free issue on kprobe registration When unloading a module, its state is changing MODULE_STATE_LIVE -> MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take a time. `is_module_text_address()` and `__module_text_address()` works with MODULE_STATE_LIVE and MODULE_STATE_GOING. If we use `is_module_text_address()` and `__module_text_address()` separately, there is a chance that the first one is succeeded but the next one is failed because module->state becomes MODULE_STATE_UNFORMED between those operations. In `check_kprobe_address_safe()`, if the second `__module_text_address()` is failed, that is ignored because it expected a kernel_text address. But it may have failed simply because module->state has been changed to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify non-exist module text address (use-after-free). To fix this problem, we should not use separated `is_module_text_address()` and `__module_text_address()`, but use only `__module_text_address()` once and do `try_module_get(module)` which is only available with MODULE_STATE_LIVE. The Linux kernel CVE team has assigned CVE-2024-35955 to this issue. Affected and fixed versions =========================== Issue introduced in 4.19.256 with commit 1c836bad43f3 and fixed in 4.19.313 with commit b5808d400934 Issue introduced in 5.4.211 with commit 6a119c1a584a and fixed in 5.4.275 with commit 93eb31e7c339 Issue introduced in 5.10.137 with commit 2a49b025c36a and fixed in 5.10.216 with commit 5062d1f4f07f Issue introduced in 5.15.61 with commit a1edb85e60fd and fixed in 5.15.157 with commit 2df2dd27066c Issue introduced in 6.0 with commit 28f6c37a2910 and fixed in 6.1.87 with commit 62029bc9ff2c Issue introduced in 6.0 with commit 28f6c37a2910 and fixed in 6.6.28 with commit d15023fb4073 Issue introduced in 6.0 with commit 28f6c37a2910 and fixed in 6.8.7 with commit 36b57c7d2f8b Issue introduced in 6.0 with commit 28f6c37a2910 and fixed in 6.9 with commit 325f3fb551f8 Issue introduced in 4.14.291 with commit 4262b6eb057d Issue introduced in 5.18.18 with commit 97e813e6a143 Issue introduced in 5.19.2 with commit 16a544f1e013 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-35955 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: kernel/kprobes.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33 https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412 https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808 https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0 https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8
Powered by blists - more mailing lists