CVE-2023-53478

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing/synthetic: Fix races on freeing last_cmd<br /> <br /> Currently, the "last_cmd" variable can be accessed by multiple processes<br /> asynchronously when multiple users manipulate synthetic_events node<br /> at the same time, it could lead to use-after-free or double-free.<br /> <br /> This patch add "lastcmd_mutex" to prevent "last_cmd" from being accessed<br /> asynchronously.<br /> <br /> ================================================================<br /> <br /> It&amp;#39;s easy to reproduce in the KASAN environment by running the two<br /> scripts below in different shells.<br /> <br /> script 1:<br /> while :<br /> do<br /> echo -n -e &amp;#39;\x88&amp;#39; &gt; /sys/kernel/tracing/synthetic_events<br /> done<br /> <br /> script 2:<br /> while :<br /> do<br /> echo -n -e &amp;#39;\xb0&amp;#39; &gt; /sys/kernel/tracing/synthetic_events<br /> done<br /> <br /> ================================================================<br /> double-free scenario:<br /> <br /> process A process B<br /> ------------------- ---------------<br /> 1.kstrdup last_cmd<br /> 2.free last_cmd<br /> 3.free last_cmd(double-free)<br /> <br /> ================================================================<br /> use-after-free scenario:<br /> <br /> process A process B<br /> ------------------- ---------------<br /> 1.kstrdup last_cmd<br /> 2.free last_cmd<br /> 3.tracing_log_err(use-after-free)<br /> <br /> ================================================================<br /> <br /> Appendix 1. KASAN report double-free:<br /> <br /> BUG: KASAN: double-free in kfree+0xdc/0x1d4<br /> Free of addr ***** by task sh/4879<br /> Call trace:<br /> ...<br /> kfree+0xdc/0x1d4<br /> create_or_delete_synth_event+0x60/0x1e8<br /> trace_parse_run_command+0x2bc/0x4b8<br /> synth_events_write+0x20/0x30<br /> vfs_write+0x200/0x830<br /> ...<br /> <br /> Allocated by task 4879:<br /> ...<br /> kstrdup+0x5c/0x98<br /> create_or_delete_synth_event+0x6c/0x1e8<br /> trace_parse_run_command+0x2bc/0x4b8<br /> synth_events_write+0x20/0x30<br /> vfs_write+0x200/0x830<br /> ...<br /> <br /> Freed by task 5464:<br /> ...<br /> kfree+0xdc/0x1d4<br /> create_or_delete_synth_event+0x60/0x1e8<br /> trace_parse_run_command+0x2bc/0x4b8<br /> synth_events_write+0x20/0x30<br /> vfs_write+0x200/0x830<br /> ...<br /> <br /> ================================================================<br /> Appendix 2. KASAN report use-after-free:<br /> <br /> BUG: KASAN: use-after-free in strlen+0x5c/0x7c<br /> Read of size 1 at addr ***** by task sh/5483<br /> sh: CPU: 7 PID: 5483 Comm: sh<br /> ...<br /> __asan_report_load1_noabort+0x34/0x44<br /> strlen+0x5c/0x7c<br /> tracing_log_err+0x60/0x444<br /> create_or_delete_synth_event+0xc4/0x204<br /> trace_parse_run_command+0x2bc/0x4b8<br /> synth_events_write+0x20/0x30<br /> vfs_write+0x200/0x830<br /> ...<br /> <br /> Allocated by task 5483:<br /> ...<br /> kstrdup+0x5c/0x98<br /> create_or_delete_synth_event+0x80/0x204<br /> trace_parse_run_command+0x2bc/0x4b8<br /> synth_events_write+0x20/0x30<br /> vfs_write+0x200/0x830<br /> ...<br /> <br /> Freed by task 5480:<br /> ...<br /> kfree+0xdc/0x1d4<br /> create_or_delete_synth_event+0x74/0x204<br /> trace_parse_run_command+0x2bc/0x4b8<br /> synth_events_write+0x20/0x30<br /> vfs_write+0x200/0x830<br /> ...