Linux kernel kprobes use-after-free on module unload
CVE-2024-35955 Published on May 20, 2024
kprobes: Fix possible use-after-free issue on kprobe registration
In the Linux kernel, the following vulnerability has been resolved:
kprobes: Fix possible use-after-free issue on kprobe registration
When unloading a module, its state is changing MODULE_STATE_LIVE ->
MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take
a time. `is_module_text_address()` and `__module_text_address()`
works with MODULE_STATE_LIVE and MODULE_STATE_GOING.
If we use `is_module_text_address()` and `__module_text_address()`
separately, there is a chance that the first one is succeeded but the
next one is failed because module->state becomes MODULE_STATE_UNFORMED
between those operations.
In `check_kprobe_address_safe()`, if the second `__module_text_address()`
is failed, that is ignored because it expected a kernel_text address.
But it may have failed simply because module->state has been changed
to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify
non-exist module text address (use-after-free).
To fix this problem, we should not use separated `is_module_text_address()`
and `__module_text_address()`, but use only `__module_text_address()`
once and do `try_module_get(module)` which is only available with
MODULE_STATE_LIVE.
Vulnerability Analysis
CVE-2024-35955 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Dangling pointer Vulnerability?
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
CVE-2024-35955 has been classified to as a Dangling pointer vulnerability or weakness.
Products Associated with CVE-2024-35955
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-35955 are published in these products:
Affected Versions
Linux:- Version 1c836bad43f3e2ff71cc397a6e6ccb4e7bd116f8 and below b5808d40093403334d939e2c3c417144d12a6f33 is affected.
- Version 6a119c1a584aa7a2c6216458f1f272bf1bc93a93 and below 93eb31e7c3399e326259f2caa17be1e821f5a412 is affected.
- Version 2a49b025c36ae749cee7ccc4b7e456e02539cdc3 and below 5062d1f4f07facbdade0f402d9a04a788f52e26d is affected.
- Version a1edb85e60fdab1e14db63ae8af8db3f0d798fb6 and below 2df2dd27066cdba8041e46a64362325626bdfb2e is affected.
- Version 28f6c37a2910f565b4f5960df52b2eccae28c891 and below 62029bc9ff2c17a4e3a2478d83418ec575413808 is affected.
- Version 28f6c37a2910f565b4f5960df52b2eccae28c891 and below d15023fb407337028a654237d8968fefdcf87c2f is affected.
- Version 28f6c37a2910f565b4f5960df52b2eccae28c891 and below 36b57c7d2f8b7de224980f1a284432846ad71ca0 is affected.
- Version 28f6c37a2910f565b4f5960df52b2eccae28c891 and below 325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8 is affected.
- Version 4262b6eb057d86c7829168c541654fe0d48fdac8 is affected.
- Version 97e813e6a143edf4208e15c72199c495ed80cea5 is affected.
- Version 16a544f1e013ba0660612f3fe35393b143b19a84 is affected.
- Version 6.0 is affected.
- Before 6.0 is unaffected.
- Version 4.19.313, <= 4.19.* is unaffected.
- Version 5.4.275, <= 5.4.* is unaffected.
- Version 5.10.216, <= 5.10.* is unaffected.
- Version 5.15.157, <= 5.15.* is unaffected.
- Version 6.1.87, <= 6.1.* is unaffected.
- Version 6.6.28, <= 6.6.* is unaffected.
- Version 6.8.7, <= 6.8.* is unaffected.
- Version 6.9, <= * is unaffected.
- Version 1c836bad43f3 and below b5808d400934 is affected.
- Version 6a119c1a584a and below 93eb31e7c339 is affected.
- Version 2a49b025c36a and below 93eb31e7c339 is affected.
- Version a1edb85e60fd and below 2df2dd27066c is affected.
- Version 28f6c37a2910 and below 62029bc9ff2c is affected.
- Version 28f6c37a2910 and below d15023fb4073 is affected.
- Version 28f6c37a2910 and below 36b57c7d2f8b is affected.
- Version 28f6c37a2910 and below 325f3fb551f8 is affected.
- Version 6.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.