CVE-2024-38588

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ftrace: Fix possible use-after-free issue in ftrace_location()<br /> <br /> KASAN reports a bug:<br /> <br /> BUG: KASAN: use-after-free in ftrace_location+0x90/0x120<br /> Read of size 8 at addr ffff888141d40010 by task insmod/424<br /> CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+<br /> [...]<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x68/0xa0<br /> print_report+0xcf/0x610<br /> kasan_report+0xb5/0xe0<br /> ftrace_location+0x90/0x120<br /> register_kprobe+0x14b/0xa40<br /> kprobe_init+0x2d/0xff0 [kprobe_example]<br /> do_one_initcall+0x8f/0x2d0<br /> do_init_module+0x13a/0x3c0<br /> load_module+0x3082/0x33d0<br /> init_module_from_file+0xd2/0x130<br /> __x64_sys_finit_module+0x306/0x440<br /> do_syscall_64+0x68/0x140<br /> entry_SYSCALL_64_after_hwframe+0x71/0x79<br /> <br /> The root cause is that, in lookup_rec(), ftrace record of some address<br /> is being searched in ftrace pages of some module, but those ftrace pages<br /> at the same time is being freed in ftrace_release_mod() as the<br /> corresponding module is being deleted:<br /> <br /> CPU1 | CPU2<br /> register_kprobes() { | delete_module() {<br /> check_kprobe_address_safe() { |<br /> arch_check_ftrace_location() { |<br /> ftrace_location() { |<br /> lookup_rec() // USE! | ftrace_release_mod() // Free!<br /> <br /> To fix this issue:<br /> 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();<br /> 2. Use ftrace_location_range() instead of lookup_rec() in<br /> ftrace_location();<br /> 3. Call synchronize_rcu() before freeing any ftrace pages both in<br /> ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().