cve/published/2022/CVE-2022-49799.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49799: tracing: Fix wild-memory-access in register_synth_event()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tracing: Fix wild-memory-access in register_synth_event()

 In register_synth_event(), if set_synth_event_print_fmt() failed, then
 both trace_remove_event_call() and unregister_trace_event() will be
 called, which means the trace_event_call will call
 __unregister_trace_event() twice. As the result, the second unregister
 will causes the wild-memory-access.

 register_synth_event
     set_synth_event_print_fmt failed
     trace_remove_event_call
         event_remove
             if call->event.funcs then
             __unregister_trace_event (first call)
     unregister_trace_event
         __unregister_trace_event (second call)

 Fix the bug by avoiding to call the second __unregister_trace_event() by
 checking if the first one is called.

 general protection fault, probably for non-canonical address
 	0xfbd59c0000000024: 0000 [#1] SMP KASAN PTI
 KASAN: maybe wild-memory-access in range
 [0xdead000000000120-0xdead000000000127]
 CPU: 0 PID: 3807 Comm: modprobe Not tainted
 6.1.0-rc1-00186-g76f33a7eedb4 #299
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
 rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
 RIP: 0010:unregister_trace_event+0x6e/0x280
 Code: 00 fc ff df 4c 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 0e 02 00 00 48
 b8 00 00 00 00 00 fc ff df 4c 8b 63 08 4c 89 e2 48 c1 ea 03 <80> 3c 02
 00 0f 85 e2 01 00 00 49 89 2c 24 48 85 ed 74 28 e8 7a 9b
 RSP: 0018:ffff88810413f370 EFLAGS: 00010a06
 RAX: dffffc0000000000 RBX: ffff888105d050b0 RCX: 0000000000000000
 RDX: 1bd5a00000000024 RSI: ffff888119e276e0 RDI: ffffffff835a8b20
 RBP: dead000000000100 R08: 0000000000000000 R09: fffffbfff0913481
 R10: ffffffff8489a407 R11: fffffbfff0913480 R12: dead000000000122
 R13: ffff888105d050b8 R14: 0000000000000000 R15: ffff888105d05028
 FS:  00007f7823e8d540(0000) GS:ffff888119e00000(0000)
 knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007f7823e7ebec CR3: 000000010a058002 CR4: 0000000000330ef0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  <TASK>
  __create_synth_event+0x1e37/0x1eb0
  create_or_delete_synth_event+0x110/0x250
  synth_event_run_command+0x2f/0x110
  test_gen_synth_cmd+0x170/0x2eb [synth_event_gen_test]
  synth_event_gen_test_init+0x76/0x9bc [synth_event_gen_test]
  do_one_initcall+0xdb/0x480
  do_init_module+0x1cf/0x680
  load_module+0x6a50/0x70a0
  __do_sys_finit_module+0x12f/0x1c0
  do_syscall_64+0x3f/0x90
  entry_SYSCALL_64_after_hwframe+0x63/0xcd

 The Linux kernel CVE team has assigned CVE-2022-49799 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.17 with commit 4b147936fa509650beaf638b331573c23ba4d609 and fixed in 5.10.156 with commit 315b149f08229a233d47532eb5da1707b28f764c
 	Issue introduced in 4.17 with commit 4b147936fa509650beaf638b331573c23ba4d609 and fixed in 5.15.80 with commit 6517b97134f724d12f673f9fb4f456d75c7a905f
 	Issue introduced in 4.17 with commit 4b147936fa509650beaf638b331573c23ba4d609 and fixed in 6.0.10 with commit a5bfa53e5036b3e7a80be902dd3719a930accabd
 	Issue introduced in 4.17 with commit 4b147936fa509650beaf638b331573c23ba4d609 and fixed in 6.1 with commit 1b5f1c34d3f5a664a57a5a7557a50e4e3cc2505c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49799
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/trace/trace_events_synth.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/315b149f08229a233d47532eb5da1707b28f764c
 	https://git.kernel.org/stable/c/6517b97134f724d12f673f9fb4f456d75c7a905f
 	https://git.kernel.org/stable/c/a5bfa53e5036b3e7a80be902dd3719a930accabd
 	https://git.kernel.org/stable/c/1b5f1c34d3f5a664a57a5a7557a50e4e3cc2505c
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49799: tracing: Fix wild-memory-access in register_synth_event()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tracing: Fix wild-memory-access in register_synth_event()

	In register_synth_event(), if set_synth_event_print_fmt() failed, then
	both trace_remove_event_call() and unregister_trace_event() will be
	called, which means the trace_event_call will call
	__unregister_trace_event() twice. As the result, the second unregister
	will causes the wild-memory-access.

	register_synth_event
	set_synth_event_print_fmt failed
	trace_remove_event_call
	event_remove
	if call->event.funcs then
	__unregister_trace_event (first call)
	unregister_trace_event
	__unregister_trace_event (second call)

	Fix the bug by avoiding to call the second __unregister_trace_event() by
	checking if the first one is called.

	general protection fault, probably for non-canonical address
	0xfbd59c0000000024: 0000 [#1] SMP KASAN PTI
	KASAN: maybe wild-memory-access in range
	[0xdead000000000120-0xdead000000000127]
	CPU: 0 PID: 3807 Comm: modprobe Not tainted
	6.1.0-rc1-00186-g76f33a7eedb4 #299
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
	rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
	RIP: 0010:unregister_trace_event+0x6e/0x280
	Code: 00 fc ff df 4c 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 0e 02 00 00 48
	b8 00 00 00 00 00 fc ff df 4c 8b 63 08 4c 89 e2 48 c1 ea 03 <80> 3c 02
	00 0f 85 e2 01 00 00 49 89 2c 24 48 85 ed 74 28 e8 7a 9b
	RSP: 0018:ffff88810413f370 EFLAGS: 00010a06
	RAX: dffffc0000000000 RBX: ffff888105d050b0 RCX: 0000000000000000
	RDX: 1bd5a00000000024 RSI: ffff888119e276e0 RDI: ffffffff835a8b20
	RBP: dead000000000100 R08: 0000000000000000 R09: fffffbfff0913481
	R10: ffffffff8489a407 R11: fffffbfff0913480 R12: dead000000000122
	R13: ffff888105d050b8 R14: 0000000000000000 R15: ffff888105d05028
	FS: 00007f7823e8d540(0000) GS:ffff888119e00000(0000)
	knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007f7823e7ebec CR3: 000000010a058002 CR4: 0000000000330ef0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	<TASK>
	__create_synth_event+0x1e37/0x1eb0
	create_or_delete_synth_event+0x110/0x250
	synth_event_run_command+0x2f/0x110
	test_gen_synth_cmd+0x170/0x2eb [synth_event_gen_test]
	synth_event_gen_test_init+0x76/0x9bc [synth_event_gen_test]
	do_one_initcall+0xdb/0x480
	do_init_module+0x1cf/0x680
	load_module+0x6a50/0x70a0
	__do_sys_finit_module+0x12f/0x1c0
	do_syscall_64+0x3f/0x90
	entry_SYSCALL_64_after_hwframe+0x63/0xcd

	The Linux kernel CVE team has assigned CVE-2022-49799 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.17 with commit 4b147936fa509650beaf638b331573c23ba4d609 and fixed in 5.10.156 with commit 315b149f08229a233d47532eb5da1707b28f764c
	Issue introduced in 4.17 with commit 4b147936fa509650beaf638b331573c23ba4d609 and fixed in 5.15.80 with commit 6517b97134f724d12f673f9fb4f456d75c7a905f
	Issue introduced in 4.17 with commit 4b147936fa509650beaf638b331573c23ba4d609 and fixed in 6.0.10 with commit a5bfa53e5036b3e7a80be902dd3719a930accabd
	Issue introduced in 4.17 with commit 4b147936fa509650beaf638b331573c23ba4d609 and fixed in 6.1 with commit 1b5f1c34d3f5a664a57a5a7557a50e4e3cc2505c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49799
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/trace/trace_events_synth.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/315b149f08229a233d47532eb5da1707b28f764c
	https://git.kernel.org/stable/c/6517b97134f724d12f673f9fb4f456d75c7a905f
	https://git.kernel.org/stable/c/a5bfa53e5036b3e7a80be902dd3719a930accabd
	https://git.kernel.org/stable/c/1b5f1c34d3f5a664a57a5a7557a50e4e3cc2505c