cve/published/2024/CVE-2024-50067.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50067: uprobe: avoid out-of-bounds memory access of fetching args

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 uprobe: avoid out-of-bounds memory access of fetching args

 Uprobe needs to fetch args into a percpu buffer, and then copy to ring
 buffer to avoid non-atomic context problem.

 Sometimes user-space strings, arrays can be very large, but the size of
 percpu buffer is only page size. And store_trace_args() won't check
 whether these data exceeds a single page or not, caused out-of-bounds
 memory access.

 It could be reproduced by following steps:
 1. build kernel with CONFIG_KASAN enabled
 2. save follow program as test.c

 ```
 \#include <stdio.h>
 \#include <stdlib.h>
 \#include <string.h>

 // If string length large than MAX_STRING_SIZE, the fetch_store_strlen()
 // will return 0, cause __get_data_size() return shorter size, and
 // store_trace_args() will not trigger out-of-bounds access.
 // So make string length less than 4096.
 \#define STRLEN 4093

 void generate_string(char *str, int n)
 {
     int i;
     for (i = 0; i < n; ++i)
     {
         char c = i % 26 + 'a';
         str[i] = c;
     }
     str[n-1] = '\0';
 }

 void print_string(char *str)
 {
     printf("%s\n", str);
 }

 int main()
 {
     char tmp[STRLEN];

     generate_string(tmp, STRLEN);
     print_string(tmp);

     return 0;
 }
 ```
 3. compile program
 `gcc -o test test.c`

 4. get the offset of `print_string()`
 ```
 objdump -t test | grep -w print_string
 0000000000401199 g     F .text  000000000000001b              print_string
 ```

 5. configure uprobe with offset 0x1199
 ```
 off=0x1199

 cd /sys/kernel/debug/tracing/
 echo "p /root/test:${off} arg1=+0(%di):ustring arg2=\$comm arg3=+0(%di):ustring"
  > uprobe_events
 echo 1 > events/uprobes/enable
 echo 1 > tracing_on
 ```

 6. run `test`, and kasan will report error.
 ==================================================================
 BUG: KASAN: use-after-free in strncpy_from_user+0x1d6/0x1f0
 Write of size 8 at addr ffff88812311c004 by task test/499CPU: 0 UID: 0 PID: 499 Comm: test Not tainted 6.12.0-rc3+ #18
 Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014
 Call Trace:
  <TASK>
  dump_stack_lvl+0x55/0x70
  print_address_description.constprop.0+0x27/0x310
  kasan_report+0x10f/0x120
  ? strncpy_from_user+0x1d6/0x1f0
  strncpy_from_user+0x1d6/0x1f0
  ? rmqueue.constprop.0+0x70d/0x2ad0
  process_fetch_insn+0xb26/0x1470
  ? __pfx_process_fetch_insn+0x10/0x10
  ? _raw_spin_lock+0x85/0xe0
  ? __pfx__raw_spin_lock+0x10/0x10
  ? __pte_offset_map+0x1f/0x2d0
  ? unwind_next_frame+0xc5f/0x1f80
  ? arch_stack_walk+0x68/0xf0
  ? is_bpf_text_address+0x23/0x30
  ? kernel_text_address.part.0+0xbb/0xd0
  ? __kernel_text_address+0x66/0xb0
  ? unwind_get_return_address+0x5e/0xa0
  ? __pfx_stack_trace_consume_entry+0x10/0x10
  ? arch_stack_walk+0xa2/0xf0
  ? _raw_spin_lock_irqsave+0x8b/0xf0
  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
  ? depot_alloc_stack+0x4c/0x1f0
  ? _raw_spin_unlock_irqrestore+0xe/0x30
  ? stack_depot_save_flags+0x35d/0x4f0
  ? kasan_save_stack+0x34/0x50
  ? kasan_save_stack+0x24/0x50
  ? mutex_lock+0x91/0xe0
  ? __pfx_mutex_lock+0x10/0x10
  prepare_uprobe_buffer.part.0+0x2cd/0x500
  uprobe_dispatcher+0x2c3/0x6a0
  ? __pfx_uprobe_dispatcher+0x10/0x10
  ? __kasan_slab_alloc+0x4d/0x90
  handler_chain+0xdd/0x3e0
  handle_swbp+0x26e/0x3d0
  ? __pfx_handle_swbp+0x10/0x10
  ? uprobe_pre_sstep_notifier+0x151/0x1b0
  irqentry_exit_to_user_mode+0xe2/0x1b0
  asm_exc_int3+0x39/0x40
 RIP: 0033:0x401199
 Code: 01 c2 0f b6 45 fb 88 02 83 45 fc 01 8b 45 fc 3b 45 e4 7c b7 8b 45 e4 48 98 48 8d 50 ff 48 8b 45 e8 48 01 d0 ce
 RSP: 002b:00007ffdf00576a8 EFLAGS: 00000206
 RAX: 00007ffdf00576b0 RBX: 0000000000000000 RCX: 0000000000000ff2
 RDX: 0000000000000ffc RSI: 0000000000000ffd RDI: 00007ffdf00576b0
 RBP: 00007ffdf00586b0 R08: 00007feb2f9c0d20 R09: 00007feb2f9c0d20
 R10: 0000000000000001 R11: 0000000000000202 R12: 0000000000401040
 R13: 00007ffdf0058780 R14: 0000000000000000 R15: 0000000000000000
  </TASK>

 This commit enforces the buffer's maxlen less than a page-size to avoid
 store_trace_args() out-of-memory access.

 The Linux kernel CVE team has assigned CVE-2024-50067 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.14 with commit dcad1a204f72624796ae83359403898d10393b9c and fixed in 6.1.118 with commit 0dc3ad9ad2188da7f090b3dbe4d2fcd9ae8ae64f
 	Issue introduced in 3.14 with commit dcad1a204f72624796ae83359403898d10393b9c and fixed in 6.6.59 with commit 9e5f93788c9dd4309e75a56860a1ac44a8e117b9
 	Issue introduced in 3.14 with commit dcad1a204f72624796ae83359403898d10393b9c and fixed in 6.11.6 with commit 537ad4a431f6dddbf15d40d19f24bb9ee12b55cb
 	Issue introduced in 3.14 with commit dcad1a204f72624796ae83359403898d10393b9c and fixed in 6.12 with commit 373b9338c9722a368925d83bc622c596896b328e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50067
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/trace/trace_uprobe.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0dc3ad9ad2188da7f090b3dbe4d2fcd9ae8ae64f
 	https://git.kernel.org/stable/c/9e5f93788c9dd4309e75a56860a1ac44a8e117b9
 	https://git.kernel.org/stable/c/537ad4a431f6dddbf15d40d19f24bb9ee12b55cb
 	https://git.kernel.org/stable/c/373b9338c9722a368925d83bc622c596896b328e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50067: uprobe: avoid out-of-bounds memory access of fetching args

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	uprobe: avoid out-of-bounds memory access of fetching args

	Uprobe needs to fetch args into a percpu buffer, and then copy to ring
	buffer to avoid non-atomic context problem.

	Sometimes user-space strings, arrays can be very large, but the size of
	percpu buffer is only page size. And store_trace_args() won't check
	whether these data exceeds a single page or not, caused out-of-bounds
	memory access.

	It could be reproduced by following steps:
	1. build kernel with CONFIG_KASAN enabled
	2. save follow program as test.c

	```
	\#include <stdio.h>
	\#include <stdlib.h>
	\#include <string.h>

	// If string length large than MAX_STRING_SIZE, the fetch_store_strlen()
	// will return 0, cause __get_data_size() return shorter size, and
	// store_trace_args() will not trigger out-of-bounds access.
	// So make string length less than 4096.
	\#define STRLEN 4093

	void generate_string(char *str, int n)
	{
	int i;
	for (i = 0; i < n; ++i)
	{
	char c = i % 26 + 'a';
	str[i] = c;
	}
	str[n-1] = '\0';
	}

	void print_string(char *str)
	{
	printf("%s\n", str);
	}

	int main()
	{
	char tmp[STRLEN];

	generate_string(tmp, STRLEN);
	print_string(tmp);

	return 0;
	}
	```
	3. compile program
	`gcc -o test test.c`

	4. get the offset of `print_string()`
	```
	objdump -t test \| grep -w print_string
	0000000000401199 g F .text 000000000000001b print_string
	```

	5. configure uprobe with offset 0x1199
	```
	off=0x1199

	cd /sys/kernel/debug/tracing/
	echo "p /root/test:${off} arg1=+0(%di):ustring arg2=\$comm arg3=+0(%di):ustring"
	> uprobe_events
	echo 1 > events/uprobes/enable
	echo 1 > tracing_on
	```

	6. run `test`, and kasan will report error.
	==================================================================
	BUG: KASAN: use-after-free in strncpy_from_user+0x1d6/0x1f0
	Write of size 8 at addr ffff88812311c004 by task test/499CPU: 0 UID: 0 PID: 499 Comm: test Not tainted 6.12.0-rc3+ #18
	Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014
	Call Trace:
	<TASK>
	dump_stack_lvl+0x55/0x70
	print_address_description.constprop.0+0x27/0x310
	kasan_report+0x10f/0x120
	? strncpy_from_user+0x1d6/0x1f0
	strncpy_from_user+0x1d6/0x1f0
	? rmqueue.constprop.0+0x70d/0x2ad0
	process_fetch_insn+0xb26/0x1470
	? __pfx_process_fetch_insn+0x10/0x10
	? _raw_spin_lock+0x85/0xe0
	? __pfx__raw_spin_lock+0x10/0x10
	? __pte_offset_map+0x1f/0x2d0
	? unwind_next_frame+0xc5f/0x1f80
	? arch_stack_walk+0x68/0xf0
	? is_bpf_text_address+0x23/0x30
	? kernel_text_address.part.0+0xbb/0xd0
	? __kernel_text_address+0x66/0xb0
	? unwind_get_return_address+0x5e/0xa0
	? __pfx_stack_trace_consume_entry+0x10/0x10
	? arch_stack_walk+0xa2/0xf0
	? _raw_spin_lock_irqsave+0x8b/0xf0
	? __pfx__raw_spin_lock_irqsave+0x10/0x10
	? depot_alloc_stack+0x4c/0x1f0
	? _raw_spin_unlock_irqrestore+0xe/0x30
	? stack_depot_save_flags+0x35d/0x4f0
	? kasan_save_stack+0x34/0x50
	? kasan_save_stack+0x24/0x50
	? mutex_lock+0x91/0xe0
	? __pfx_mutex_lock+0x10/0x10
	prepare_uprobe_buffer.part.0+0x2cd/0x500
	uprobe_dispatcher+0x2c3/0x6a0
	? __pfx_uprobe_dispatcher+0x10/0x10
	? __kasan_slab_alloc+0x4d/0x90
	handler_chain+0xdd/0x3e0
	handle_swbp+0x26e/0x3d0
	? __pfx_handle_swbp+0x10/0x10
	? uprobe_pre_sstep_notifier+0x151/0x1b0
	irqentry_exit_to_user_mode+0xe2/0x1b0
	asm_exc_int3+0x39/0x40
	RIP: 0033:0x401199
	Code: 01 c2 0f b6 45 fb 88 02 83 45 fc 01 8b 45 fc 3b 45 e4 7c b7 8b 45 e4 48 98 48 8d 50 ff 48 8b 45 e8 48 01 d0 ce
	RSP: 002b:00007ffdf00576a8 EFLAGS: 00000206
	RAX: 00007ffdf00576b0 RBX: 0000000000000000 RCX: 0000000000000ff2
	RDX: 0000000000000ffc RSI: 0000000000000ffd RDI: 00007ffdf00576b0
	RBP: 00007ffdf00586b0 R08: 00007feb2f9c0d20 R09: 00007feb2f9c0d20
	R10: 0000000000000001 R11: 0000000000000202 R12: 0000000000401040
	R13: 00007ffdf0058780 R14: 0000000000000000 R15: 0000000000000000
	</TASK>

	This commit enforces the buffer's maxlen less than a page-size to avoid
	store_trace_args() out-of-memory access.

	The Linux kernel CVE team has assigned CVE-2024-50067 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.14 with commit dcad1a204f72624796ae83359403898d10393b9c and fixed in 6.1.118 with commit 0dc3ad9ad2188da7f090b3dbe4d2fcd9ae8ae64f
	Issue introduced in 3.14 with commit dcad1a204f72624796ae83359403898d10393b9c and fixed in 6.6.59 with commit 9e5f93788c9dd4309e75a56860a1ac44a8e117b9
	Issue introduced in 3.14 with commit dcad1a204f72624796ae83359403898d10393b9c and fixed in 6.11.6 with commit 537ad4a431f6dddbf15d40d19f24bb9ee12b55cb
	Issue introduced in 3.14 with commit dcad1a204f72624796ae83359403898d10393b9c and fixed in 6.12 with commit 373b9338c9722a368925d83bc622c596896b328e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50067
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/trace/trace_uprobe.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0dc3ad9ad2188da7f090b3dbe4d2fcd9ae8ae64f
	https://git.kernel.org/stable/c/9e5f93788c9dd4309e75a56860a1ac44a8e117b9
	https://git.kernel.org/stable/c/537ad4a431f6dddbf15d40d19f24bb9ee12b55cb
	https://git.kernel.org/stable/c/373b9338c9722a368925d83bc622c596896b328e