8.8

CVE-2024-35955

kprobes: Fix possible use-after-free issue on kprobe registration

In the Linux kernel, the following vulnerability has been resolved:

kprobes: Fix possible use-after-free issue on kprobe registration

When unloading a module, its state is changing MODULE_STATE_LIVE ->
 MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take
a time. `is_module_text_address()` and `__module_text_address()`
works with MODULE_STATE_LIVE and MODULE_STATE_GOING.
If we use `is_module_text_address()` and `__module_text_address()`
separately, there is a chance that the first one is succeeded but the
next one is failed because module->state becomes MODULE_STATE_UNFORMED
between those operations.

In `check_kprobe_address_safe()`, if the second `__module_text_address()`
is failed, that is ignored because it expected a kernel_text address.
But it may have failed simply because module->state has been changed
to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify
non-exist module text address (use-after-free).

To fix this problem, we should not use separated `is_module_text_address()`
and `__module_text_address()`, but use only `__module_text_address()`
once and do `try_module_get(module)` which is only available with
MODULE_STATE_LIVE.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.14.291 < 4.15
LinuxLinux Kernel Version >= 4.19.256 < 4.19.313
LinuxLinux Kernel Version >= 5.4.211 < 5.4.275
LinuxLinux Kernel Version >= 5.10.137 < 5.10.216
LinuxLinux Kernel Version >= 5.15.61 < 5.15.157
LinuxLinux Kernel Version >= 5.18.18 < 5.19
LinuxLinux Kernel Version >= 5.19.2 < 6.1.87
LinuxLinux Kernel Version >= 6.2 < 6.6.28
LinuxLinux Kernel Version >= 6.7 < 6.8.7
LinuxLinux Kernel Version6.9 Updaterc1
LinuxLinux Kernel Version6.9 Updaterc2
LinuxLinux Kernel Version6.9 Updaterc3
DebianDebian Linux Version10.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.17% 0.632
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
Third Party Advisory
Mailing List
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
Third Party Advisory
Mailing List
https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e
Patch
https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8
Patch
https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0
Patch
https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d
Patch
https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808
Patch
https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412
Patch
https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33
Patch
https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f
Patch
https://cert-portal.siemens.com/productcert/html/ssa-265688.html
https://cert-portal.siemens.com/productcert/html/ssa-613116.html