Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-35955

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
20/05/2024
Last modified:
04/04/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> kprobes: Fix possible use-after-free issue on kprobe registration<br /> <br /> When unloading a module, its state is changing MODULE_STATE_LIVE -&gt;<br /> MODULE_STATE_GOING -&gt; MODULE_STATE_UNFORMED. Each change will take<br /> a time. `is_module_text_address()` and `__module_text_address()`<br /> works with MODULE_STATE_LIVE and MODULE_STATE_GOING.<br /> If we use `is_module_text_address()` and `__module_text_address()`<br /> separately, there is a chance that the first one is succeeded but the<br /> next one is failed because module-&gt;state becomes MODULE_STATE_UNFORMED<br /> between those operations.<br /> <br /> In `check_kprobe_address_safe()`, if the second `__module_text_address()`<br /> is failed, that is ignored because it expected a kernel_text address.<br /> But it may have failed simply because module-&gt;state has been changed<br /> to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify<br /> non-exist module text address (use-after-free).<br /> <br /> To fix this problem, we should not use separated `is_module_text_address()`<br /> and `__module_text_address()`, but use only `__module_text_address()`<br /> once and do `try_module_get(module)` which is only available with<br /> MODULE_STATE_LIVE.

Impact

Vector 3.x
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 8.80 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
8.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.14.291 (including) 4.15 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.19.256 (including) 4.19.313 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.4.211 (including) 5.4.275 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.10.137 (including) 5.10.216 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.15.61 (including) 5.15.157 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.18.18 (including) 5.19 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.19.2 (including) 6.1.87 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.28 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.8.7 (excluding)
cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools