CVE-2024-38588 ftrace: Fix possible use-after-free issue in ftrace_location()

2024-06-1913:37:43

Linux

www.cve.org

linux kernel vulnerability resolved

kasan reports bug

use-after-free issue

ftrace_location

fix

rcu lock

ftrace_location_range

synchronize_rcu

0.0004 Low

EPSS

Percentile

15.7%

JSON

In the Linux kernel, the following vulnerability has been resolved:

ftrace: Fix possible use-after-free issue in ftrace_location()

KASAN reports a bug:

BUG: KASAN: use-after-free in ftrace_location+0x90/0x120
Read of size 8 at addr ffff888141d40010 by task insmod/424
CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+
[…]
Call Trace:
<TASK>
dump_stack_lvl+0x68/0xa0
print_report+0xcf/0x610
kasan_report+0xb5/0xe0
ftrace_location+0x90/0x120
register_kprobe+0x14b/0xa40
kprobe_init+0x2d/0xff0 [kprobe_example]
do_one_initcall+0x8f/0x2d0
do_init_module+0x13a/0x3c0
load_module+0x3082/0x33d0
init_module_from_file+0xd2/0x130
__x64_sys_finit_module+0x306/0x440
do_syscall_64+0x68/0x140
entry_SYSCALL_64_after_hwframe+0x71/0x79

The root cause is that, in lookup_rec(), ftrace record of some address
is being searched in ftrace pages of some module, but those ftrace pages
at the same time is being freed in ftrace_release_mod() as the
corresponding module is being deleted:

       CPU1                       |      CPU2

register_kprobes() { | delete_module() {
check_kprobe_address_safe() { |
arch_check_ftrace_location() { |
ftrace_location() { |
lookup_rec() // USE! | ftrace_release_mod() // Free!

To fix this issue:

Hold rcu lock as accessing ftrace pages in ftrace_location_range();
Use ftrace_location_range() instead of lookup_rec() in
ftrace_location();
Call synchronize_rcu() before freeing any ftrace pages both in
ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "kernel/trace/ftrace.c"
    ],
    "versions": [
      {
        "version": "ae6aa16fdc16",
        "lessThan": "dbff5f0bfb24",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "ae6aa16fdc16",
        "lessThan": "7b4881da5b19",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "ae6aa16fdc16",
        "lessThan": "66df065b3106",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "ae6aa16fdc16",
        "lessThan": "31310e373f4c",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "ae6aa16fdc16",
        "lessThan": "e60b613df8b6",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "kernel/trace/ftrace.c"
    ],
    "versions": [
      {
        "version": "3.7",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "3.7",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.93",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.33",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.8.12",
        "lessThanOrEqual": "6.8.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9.3",
        "lessThanOrEqual": "6.9.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.10-rc1",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]