CVE-2023-52879

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Have trace_event_file have ref counters<br /> <br /> The following can crash the kernel:<br /> <br /> # cd /sys/kernel/tracing<br /> # echo &amp;#39;p:sched schedule&amp;#39; &gt; kprobe_events<br /> # exec 5&gt;&gt;events/kprobes/sched/enable<br /> # &gt; kprobe_events<br /> # exec 5&gt;&amp;-<br /> <br /> The above commands:<br /> <br /> 1. Change directory to the tracefs directory<br /> 2. Create a kprobe event (doesn&amp;#39;t matter what one)<br /> 3. Open bash file descriptor 5 on the enable file of the kprobe event<br /> 4. Delete the kprobe event (removes the files too)<br /> 5. Close the bash file descriptor 5<br /> <br /> The above causes a crash!<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000028<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014<br /> RIP: 0010:tracing_release_file_tr+0xc/0x50<br /> <br /> What happens here is that the kprobe event creates a trace_event_file<br /> "file" descriptor that represents the file in tracefs to the event. It<br /> maintains state of the event (is it enabled for the given instance?).<br /> Opening the "enable" file gets a reference to the event "file" descriptor<br /> via the open file descriptor. When the kprobe event is deleted, the file is<br /> also deleted from the tracefs system which also frees the event "file"<br /> descriptor.<br /> <br /> But as the tracefs file is still opened by user space, it will not be<br /> totally removed until the final dput() is called on it. But this is not<br /> true with the event "file" descriptor that is already freed. If the user<br /> does a write to or simply closes the file descriptor it will reference the<br /> event "file" descriptor that was just freed, causing a use-after-free bug.<br /> <br /> To solve this, add a ref count to the event "file" descriptor as well as a<br /> new flag called "FREED". The "file" will not be freed until the last<br /> reference is released. But the FREE flag will be set when the event is<br /> removed to prevent any more modifications to that event from happening,<br /> even if there&amp;#39;s still a reference to the event "file" descriptor.