Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-49892

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
01/05/2025
Last modified:
07/05/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ftrace: Fix use-after-free for dynamic ftrace_ops<br /> <br /> KASAN reported a use-after-free with ftrace ops [1]. It was found from<br /> vmcore that perf had registered two ops with the same content<br /> successively, both dynamic. After unregistering the second ops, a<br /> use-after-free occurred.<br /> <br /> In ftrace_shutdown(), when the second ops is unregistered, the<br /> FTRACE_UPDATE_CALLS command is not set because there is another enabled<br /> ops with the same content. Also, both ops are dynamic and the ftrace<br /> callback function is ftrace_ops_list_func, so the<br /> FTRACE_UPDATE_TRACE_FUNC command will not be set. Eventually the value<br /> of &amp;#39;command&amp;#39; will be 0 and ftrace_shutdown() will skip the rcu<br /> synchronization.<br /> <br /> However, ftrace may be activated. When the ops is released, another CPU<br /> may be accessing the ops. Add the missing synchronization to fix this<br /> problem.<br /> <br /> [1]<br /> BUG: KASAN: use-after-free in __ftrace_ops_list_func kernel/trace/ftrace.c:7020 [inline]<br /> BUG: KASAN: use-after-free in ftrace_ops_list_func+0x2b0/0x31c kernel/trace/ftrace.c:7049<br /> Read of size 8 at addr ffff56551965bbc8 by task syz-executor.2/14468<br /> <br /> CPU: 1 PID: 14468 Comm: syz-executor.2 Not tainted 5.10.0 #7<br /> Hardware name: linux,dummy-virt (DT)<br /> Call trace:<br /> dump_backtrace+0x0/0x40c arch/arm64/kernel/stacktrace.c:132<br /> show_stack+0x30/0x40 arch/arm64/kernel/stacktrace.c:196<br /> __dump_stack lib/dump_stack.c:77 [inline]<br /> dump_stack+0x1b4/0x248 lib/dump_stack.c:118<br /> print_address_description.constprop.0+0x28/0x48c mm/kasan/report.c:387<br /> __kasan_report mm/kasan/report.c:547 [inline]<br /> kasan_report+0x118/0x210 mm/kasan/report.c:564<br /> check_memory_region_inline mm/kasan/generic.c:187 [inline]<br /> __asan_load8+0x98/0xc0 mm/kasan/generic.c:253<br /> __ftrace_ops_list_func kernel/trace/ftrace.c:7020 [inline]<br /> ftrace_ops_list_func+0x2b0/0x31c kernel/trace/ftrace.c:7049<br /> ftrace_graph_call+0x0/0x4<br /> __might_sleep+0x8/0x100 include/linux/perf_event.h:1170<br /> __might_fault mm/memory.c:5183 [inline]<br /> __might_fault+0x58/0x70 mm/memory.c:5171<br /> do_strncpy_from_user lib/strncpy_from_user.c:41 [inline]<br /> strncpy_from_user+0x1f4/0x4b0 lib/strncpy_from_user.c:139<br /> getname_flags+0xb0/0x31c fs/namei.c:149<br /> getname+0x2c/0x40 fs/namei.c:209<br /> [...]<br /> <br /> Allocated by task 14445:<br /> kasan_save_stack+0x24/0x50 mm/kasan/common.c:48<br /> kasan_set_track mm/kasan/common.c:56 [inline]<br /> __kasan_kmalloc mm/kasan/common.c:479 [inline]<br /> __kasan_kmalloc.constprop.0+0x110/0x13c mm/kasan/common.c:449<br /> kasan_kmalloc+0xc/0x14 mm/kasan/common.c:493<br /> kmem_cache_alloc_trace+0x440/0x924 mm/slub.c:2950<br /> kmalloc include/linux/slab.h:563 [inline]<br /> kzalloc include/linux/slab.h:675 [inline]<br /> perf_event_alloc.part.0+0xb4/0x1350 kernel/events/core.c:11230<br /> perf_event_alloc kernel/events/core.c:11733 [inline]<br /> __do_sys_perf_event_open kernel/events/core.c:11831 [inline]<br /> __se_sys_perf_event_open+0x550/0x15f4 kernel/events/core.c:11723<br /> __arm64_sys_perf_event_open+0x6c/0x80 kernel/events/core.c:11723<br /> [...]<br /> <br /> Freed by task 14445:<br /> kasan_save_stack+0x24/0x50 mm/kasan/common.c:48<br /> kasan_set_track+0x24/0x34 mm/kasan/common.c:56<br /> kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:358<br /> __kasan_slab_free.part.0+0x11c/0x1b0 mm/kasan/common.c:437<br /> __kasan_slab_free mm/kasan/common.c:445 [inline]<br /> kasan_slab_free+0x2c/0x40 mm/kasan/common.c:446<br /> slab_free_hook mm/slub.c:1569 [inline]<br /> slab_free_freelist_hook mm/slub.c:1608 [inline]<br /> slab_free mm/slub.c:3179 [inline]<br /> kfree+0x12c/0xc10 mm/slub.c:4176<br /> perf_event_alloc.part.0+0xa0c/0x1350 kernel/events/core.c:11434<br /> perf_event_alloc kernel/events/core.c:11733 [inline]<br /> __do_sys_perf_event_open kernel/events/core.c:11831 [inline]<br /> __se_sys_perf_event_open+0x550/0x15f4 kernel/events/core.c:11723<br /> [...]

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.1.45 (including) 4.2 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.4.89 (including) 4.5 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.9.52 (including) 4.10 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.13.4 (including) 5.10.154 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.78 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.0.8 (excluding)
cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools