cve/published/2024/CVE-2024-35955.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35955: kprobes: Fix possible use-after-free issue on kprobe registration

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 kprobes: Fix possible use-after-free issue on kprobe registration

 When unloading a module, its state is changing MODULE_STATE_LIVE ->
  MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take
 a time. `is_module_text_address()` and `__module_text_address()`
 works with MODULE_STATE_LIVE and MODULE_STATE_GOING.
 If we use `is_module_text_address()` and `__module_text_address()`
 separately, there is a chance that the first one is succeeded but the
 next one is failed because module->state becomes MODULE_STATE_UNFORMED
 between those operations.

 In `check_kprobe_address_safe()`, if the second `__module_text_address()`
 is failed, that is ignored because it expected a kernel_text address.
 But it may have failed simply because module->state has been changed
 to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify
 non-exist module text address (use-after-free).

 To fix this problem, we should not use separated `is_module_text_address()`
 and `__module_text_address()`, but use only `__module_text_address()`
 once and do `try_module_get(module)` which is only available with
 MODULE_STATE_LIVE.

 The Linux kernel CVE team has assigned CVE-2024-35955 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.19.256 with commit 1c836bad43f3e2ff71cc397a6e6ccb4e7bd116f8 and fixed in 4.19.313 with commit b5808d40093403334d939e2c3c417144d12a6f33
 	Issue introduced in 5.4.211 with commit 6a119c1a584aa7a2c6216458f1f272bf1bc93a93 and fixed in 5.4.275 with commit 93eb31e7c3399e326259f2caa17be1e821f5a412
 	Issue introduced in 5.10.137 with commit 2a49b025c36ae749cee7ccc4b7e456e02539cdc3 and fixed in 5.10.216 with commit 5062d1f4f07facbdade0f402d9a04a788f52e26d
 	Issue introduced in 5.15.61 with commit a1edb85e60fdab1e14db63ae8af8db3f0d798fb6 and fixed in 5.15.157 with commit 2df2dd27066cdba8041e46a64362325626bdfb2e
 	Issue introduced in 6.0 with commit 28f6c37a2910f565b4f5960df52b2eccae28c891 and fixed in 6.1.87 with commit 62029bc9ff2c17a4e3a2478d83418ec575413808
 	Issue introduced in 6.0 with commit 28f6c37a2910f565b4f5960df52b2eccae28c891 and fixed in 6.6.28 with commit d15023fb407337028a654237d8968fefdcf87c2f
 	Issue introduced in 6.0 with commit 28f6c37a2910f565b4f5960df52b2eccae28c891 and fixed in 6.8.7 with commit 36b57c7d2f8b7de224980f1a284432846ad71ca0
 	Issue introduced in 6.0 with commit 28f6c37a2910f565b4f5960df52b2eccae28c891 and fixed in 6.9 with commit 325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8
 	Issue introduced in 4.14.291 with commit 4262b6eb057d86c7829168c541654fe0d48fdac8
 	Issue introduced in 5.18.18 with commit 97e813e6a143edf4208e15c72199c495ed80cea5
 	Issue introduced in 5.19.2 with commit 16a544f1e013ba0660612f3fe35393b143b19a84

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35955
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/kprobes.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33
 	https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412
 	https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d
 	https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e
 	https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808
 	https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f
 	https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0
 	https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35955: kprobes: Fix possible use-after-free issue on kprobe registration

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	kprobes: Fix possible use-after-free issue on kprobe registration

	When unloading a module, its state is changing MODULE_STATE_LIVE ->
	MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take
	a time. `is_module_text_address()` and `__module_text_address()`
	works with MODULE_STATE_LIVE and MODULE_STATE_GOING.
	If we use `is_module_text_address()` and `__module_text_address()`
	separately, there is a chance that the first one is succeeded but the
	next one is failed because module->state becomes MODULE_STATE_UNFORMED
	between those operations.

	In `check_kprobe_address_safe()`, if the second `__module_text_address()`
	is failed, that is ignored because it expected a kernel_text address.
	But it may have failed simply because module->state has been changed
	to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify
	non-exist module text address (use-after-free).

	To fix this problem, we should not use separated `is_module_text_address()`
	and `__module_text_address()`, but use only `__module_text_address()`
	once and do `try_module_get(module)` which is only available with
	MODULE_STATE_LIVE.

	The Linux kernel CVE team has assigned CVE-2024-35955 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.19.256 with commit 1c836bad43f3e2ff71cc397a6e6ccb4e7bd116f8 and fixed in 4.19.313 with commit b5808d40093403334d939e2c3c417144d12a6f33
	Issue introduced in 5.4.211 with commit 6a119c1a584aa7a2c6216458f1f272bf1bc93a93 and fixed in 5.4.275 with commit 93eb31e7c3399e326259f2caa17be1e821f5a412
	Issue introduced in 5.10.137 with commit 2a49b025c36ae749cee7ccc4b7e456e02539cdc3 and fixed in 5.10.216 with commit 5062d1f4f07facbdade0f402d9a04a788f52e26d
	Issue introduced in 5.15.61 with commit a1edb85e60fdab1e14db63ae8af8db3f0d798fb6 and fixed in 5.15.157 with commit 2df2dd27066cdba8041e46a64362325626bdfb2e
	Issue introduced in 6.0 with commit 28f6c37a2910f565b4f5960df52b2eccae28c891 and fixed in 6.1.87 with commit 62029bc9ff2c17a4e3a2478d83418ec575413808
	Issue introduced in 6.0 with commit 28f6c37a2910f565b4f5960df52b2eccae28c891 and fixed in 6.6.28 with commit d15023fb407337028a654237d8968fefdcf87c2f
	Issue introduced in 6.0 with commit 28f6c37a2910f565b4f5960df52b2eccae28c891 and fixed in 6.8.7 with commit 36b57c7d2f8b7de224980f1a284432846ad71ca0
	Issue introduced in 6.0 with commit 28f6c37a2910f565b4f5960df52b2eccae28c891 and fixed in 6.9 with commit 325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8
	Issue introduced in 4.14.291 with commit 4262b6eb057d86c7829168c541654fe0d48fdac8
	Issue introduced in 5.18.18 with commit 97e813e6a143edf4208e15c72199c495ed80cea5
	Issue introduced in 5.19.2 with commit 16a544f1e013ba0660612f3fe35393b143b19a84

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35955
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/kprobes.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33
	https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412
	https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d
	https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e
	https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808
	https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f
	https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0
	https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8