cve/published/2024/CVE-2024-41004.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-41004: tracing: Build event generation tests only as modules

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tracing: Build event generation tests only as modules

 The kprobes and synth event generation test modules add events and lock
 (get a reference) those event file reference in module init function,
 and unlock and delete it in module exit function. This is because those
 are designed for playing as modules.

 If we make those modules as built-in, those events are left locked in the
 kernel, and never be removed. This causes kprobe event self-test failure
 as below.

 [   97.349708] ------------[ cut here ]------------
 [   97.353453] WARNING: CPU: 3 PID: 1 at kernel/trace/trace_kprobe.c:2133 kprobe_trace_self_tests_init+0x3f1/0x480
 [   97.357106] Modules linked in:
 [   97.358488] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.9.0-g699646734ab5-dirty #14
 [   97.361556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
 [   97.363880] RIP: 0010:kprobe_trace_self_tests_init+0x3f1/0x480
 [   97.365538] Code: a8 24 08 82 e9 ae fd ff ff 90 0f 0b 90 48 c7 c7 e5 aa 0b 82 e9 ee fc ff ff 90 0f 0b 90 48 c7 c7 2d 61 06 82 e9 8e fd ff ff 90 <0f> 0b 90 48 c7 c7 33 0b 0c 82 89 c6 e8 6e 03 1f ff 41 ff c7 e9 90
 [   97.370429] RSP: 0000:ffffc90000013b50 EFLAGS: 00010286
 [   97.371852] RAX: 00000000fffffff0 RBX: ffff888005919c00 RCX: 0000000000000000
 [   97.373829] RDX: ffff888003f40000 RSI: ffffffff8236a598 RDI: ffff888003f40a68
 [   97.375715] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
 [   97.377675] R10: ffffffff811c9ae5 R11: ffffffff8120c4e0 R12: 0000000000000000
 [   97.379591] R13: 0000000000000001 R14: 0000000000000015 R15: 0000000000000000
 [   97.381536] FS:  0000000000000000(0000) GS:ffff88807dcc0000(0000) knlGS:0000000000000000
 [   97.383813] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [   97.385449] CR2: 0000000000000000 CR3: 0000000002244000 CR4: 00000000000006b0
 [   97.387347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 [   97.389277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 [   97.391196] Call Trace:
 [   97.391967]  <TASK>
 [   97.392647]  ? __warn+0xcc/0x180
 [   97.393640]  ? kprobe_trace_self_tests_init+0x3f1/0x480
 [   97.395181]  ? report_bug+0xbd/0x150
 [   97.396234]  ? handle_bug+0x3e/0x60
 [   97.397311]  ? exc_invalid_op+0x1a/0x50
 [   97.398434]  ? asm_exc_invalid_op+0x1a/0x20
 [   97.399652]  ? trace_kprobe_is_busy+0x20/0x20
 [   97.400904]  ? tracing_reset_all_online_cpus+0x15/0x90
 [   97.402304]  ? kprobe_trace_self_tests_init+0x3f1/0x480
 [   97.403773]  ? init_kprobe_trace+0x50/0x50
 [   97.404972]  do_one_initcall+0x112/0x240
 [   97.406113]  do_initcall_level+0x95/0xb0
 [   97.407286]  ? kernel_init+0x1a/0x1a0
 [   97.408401]  do_initcalls+0x3f/0x70
 [   97.409452]  kernel_init_freeable+0x16f/0x1e0
 [   97.410662]  ? rest_init+0x1f0/0x1f0
 [   97.411738]  kernel_init+0x1a/0x1a0
 [   97.412788]  ret_from_fork+0x39/0x50
 [   97.413817]  ? rest_init+0x1f0/0x1f0
 [   97.414844]  ret_from_fork_asm+0x11/0x20
 [   97.416285]  </TASK>
 [   97.417134] irq event stamp: 13437323
 [   97.418376] hardirqs last  enabled at (13437337): [<ffffffff8110bc0c>] console_unlock+0x11c/0x150
 [   97.421285] hardirqs last disabled at (13437370): [<ffffffff8110bbf1>] console_unlock+0x101/0x150
 [   97.423838] softirqs last  enabled at (13437366): [<ffffffff8108e17f>] handle_softirqs+0x23f/0x2a0
 [   97.426450] softirqs last disabled at (13437393): [<ffffffff8108e346>] __irq_exit_rcu+0x66/0xd0
 [   97.428850] ---[ end trace 0000000000000000 ]---

 And also, since we can not cleanup dynamic_event file, ftracetest are
 failed too.

 To avoid these issues, build these tests only as modules.

 The Linux kernel CVE team has assigned CVE-2024-41004 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.6 with commit 9fe41efaca08416657efa8731c0d47ccb6a3f3eb and fixed in 5.10.221 with commit a85bae262ccecc52a40c466ec067f6c915e0839d
 	Issue introduced in 5.6 with commit 9fe41efaca08416657efa8731c0d47ccb6a3f3eb and fixed in 5.15.162 with commit 98a7bfc48fffe170a60d87a5cbb7cdddf08184c3
 	Issue introduced in 5.6 with commit 9fe41efaca08416657efa8731c0d47ccb6a3f3eb and fixed in 6.1.96 with commit 32ef4dc2b1caf5825c0cf50646479608311cafc3
 	Issue introduced in 5.6 with commit 9fe41efaca08416657efa8731c0d47ccb6a3f3eb and fixed in 6.6.36 with commit 55d5d08174366efe57ca9e79964828b20c626c45
 	Issue introduced in 5.6 with commit 9fe41efaca08416657efa8731c0d47ccb6a3f3eb and fixed in 6.9.7 with commit 72a0199b361df2387018697b023fdcdd357449a9
 	Issue introduced in 5.6 with commit 9fe41efaca08416657efa8731c0d47ccb6a3f3eb and fixed in 6.10 with commit 3572bd5689b0812b161b40279e39ca5b66d73e88

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-41004
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/trace/Kconfig


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/a85bae262ccecc52a40c466ec067f6c915e0839d
 	https://git.kernel.org/stable/c/98a7bfc48fffe170a60d87a5cbb7cdddf08184c3
 	https://git.kernel.org/stable/c/32ef4dc2b1caf5825c0cf50646479608311cafc3
 	https://git.kernel.org/stable/c/55d5d08174366efe57ca9e79964828b20c626c45
 	https://git.kernel.org/stable/c/72a0199b361df2387018697b023fdcdd357449a9
 	https://git.kernel.org/stable/c/3572bd5689b0812b161b40279e39ca5b66d73e88
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-41004: tracing: Build event generation tests only as modules

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tracing: Build event generation tests only as modules

	The kprobes and synth event generation test modules add events and lock
	(get a reference) those event file reference in module init function,
	and unlock and delete it in module exit function. This is because those
	are designed for playing as modules.

	If we make those modules as built-in, those events are left locked in the
	kernel, and never be removed. This causes kprobe event self-test failure
	as below.

	[ 97.349708] ------------[ cut here ]------------
	[ 97.353453] WARNING: CPU: 3 PID: 1 at kernel/trace/trace_kprobe.c:2133 kprobe_trace_self_tests_init+0x3f1/0x480
	[ 97.357106] Modules linked in:
	[ 97.358488] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.9.0-g699646734ab5-dirty #14
	[ 97.361556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
	[ 97.363880] RIP: 0010:kprobe_trace_self_tests_init+0x3f1/0x480
	[ 97.365538] Code: a8 24 08 82 e9 ae fd ff ff 90 0f 0b 90 48 c7 c7 e5 aa 0b 82 e9 ee fc ff ff 90 0f 0b 90 48 c7 c7 2d 61 06 82 e9 8e fd ff ff 90 <0f> 0b 90 48 c7 c7 33 0b 0c 82 89 c6 e8 6e 03 1f ff 41 ff c7 e9 90
	[ 97.370429] RSP: 0000:ffffc90000013b50 EFLAGS: 00010286
	[ 97.371852] RAX: 00000000fffffff0 RBX: ffff888005919c00 RCX: 0000000000000000
	[ 97.373829] RDX: ffff888003f40000 RSI: ffffffff8236a598 RDI: ffff888003f40a68
	[ 97.375715] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
	[ 97.377675] R10: ffffffff811c9ae5 R11: ffffffff8120c4e0 R12: 0000000000000000
	[ 97.379591] R13: 0000000000000001 R14: 0000000000000015 R15: 0000000000000000
	[ 97.381536] FS: 0000000000000000(0000) GS:ffff88807dcc0000(0000) knlGS:0000000000000000
	[ 97.383813] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[ 97.385449] CR2: 0000000000000000 CR3: 0000000002244000 CR4: 00000000000006b0
	[ 97.387347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	[ 97.389277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	[ 97.391196] Call Trace:
	[ 97.391967] <TASK>
	[ 97.392647] ? __warn+0xcc/0x180
	[ 97.393640] ? kprobe_trace_self_tests_init+0x3f1/0x480
	[ 97.395181] ? report_bug+0xbd/0x150
	[ 97.396234] ? handle_bug+0x3e/0x60
	[ 97.397311] ? exc_invalid_op+0x1a/0x50
	[ 97.398434] ? asm_exc_invalid_op+0x1a/0x20
	[ 97.399652] ? trace_kprobe_is_busy+0x20/0x20
	[ 97.400904] ? tracing_reset_all_online_cpus+0x15/0x90
	[ 97.402304] ? kprobe_trace_self_tests_init+0x3f1/0x480
	[ 97.403773] ? init_kprobe_trace+0x50/0x50
	[ 97.404972] do_one_initcall+0x112/0x240
	[ 97.406113] do_initcall_level+0x95/0xb0
	[ 97.407286] ? kernel_init+0x1a/0x1a0
	[ 97.408401] do_initcalls+0x3f/0x70
	[ 97.409452] kernel_init_freeable+0x16f/0x1e0
	[ 97.410662] ? rest_init+0x1f0/0x1f0
	[ 97.411738] kernel_init+0x1a/0x1a0
	[ 97.412788] ret_from_fork+0x39/0x50
	[ 97.413817] ? rest_init+0x1f0/0x1f0
	[ 97.414844] ret_from_fork_asm+0x11/0x20
	[ 97.416285] </TASK>
	[ 97.417134] irq event stamp: 13437323
	[ 97.418376] hardirqs last enabled at (13437337): [<ffffffff8110bc0c>] console_unlock+0x11c/0x150
	[ 97.421285] hardirqs last disabled at (13437370): [<ffffffff8110bbf1>] console_unlock+0x101/0x150
	[ 97.423838] softirqs last enabled at (13437366): [<ffffffff8108e17f>] handle_softirqs+0x23f/0x2a0
	[ 97.426450] softirqs last disabled at (13437393): [<ffffffff8108e346>] __irq_exit_rcu+0x66/0xd0
	[ 97.428850] ---[ end trace 0000000000000000 ]---

	And also, since we can not cleanup dynamic_event file, ftracetest are
	failed too.

	To avoid these issues, build these tests only as modules.

	The Linux kernel CVE team has assigned CVE-2024-41004 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.6 with commit 9fe41efaca08416657efa8731c0d47ccb6a3f3eb and fixed in 5.10.221 with commit a85bae262ccecc52a40c466ec067f6c915e0839d
	Issue introduced in 5.6 with commit 9fe41efaca08416657efa8731c0d47ccb6a3f3eb and fixed in 5.15.162 with commit 98a7bfc48fffe170a60d87a5cbb7cdddf08184c3
	Issue introduced in 5.6 with commit 9fe41efaca08416657efa8731c0d47ccb6a3f3eb and fixed in 6.1.96 with commit 32ef4dc2b1caf5825c0cf50646479608311cafc3
	Issue introduced in 5.6 with commit 9fe41efaca08416657efa8731c0d47ccb6a3f3eb and fixed in 6.6.36 with commit 55d5d08174366efe57ca9e79964828b20c626c45
	Issue introduced in 5.6 with commit 9fe41efaca08416657efa8731c0d47ccb6a3f3eb and fixed in 6.9.7 with commit 72a0199b361df2387018697b023fdcdd357449a9
	Issue introduced in 5.6 with commit 9fe41efaca08416657efa8731c0d47ccb6a3f3eb and fixed in 6.10 with commit 3572bd5689b0812b161b40279e39ca5b66d73e88

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-41004
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/trace/Kconfig


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/a85bae262ccecc52a40c466ec067f6c915e0839d
	https://git.kernel.org/stable/c/98a7bfc48fffe170a60d87a5cbb7cdddf08184c3
	https://git.kernel.org/stable/c/32ef4dc2b1caf5825c0cf50646479608311cafc3
	https://git.kernel.org/stable/c/55d5d08174366efe57ca9e79964828b20c626c45
	https://git.kernel.org/stable/c/72a0199b361df2387018697b023fdcdd357449a9
	https://git.kernel.org/stable/c/3572bd5689b0812b161b40279e39ca5b66d73e88