Updated:
Description:
In the Linux kernel, the following vulnerability has been resolved: kprobes: Fix possible use-after-free issue on kprobe registration When unloading a module, its state is changing MODULE_STATE_LIVE -> MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take a time. `is_module_text_address()` and `__module_text_address()` works with MODULE_STATE_LIVE and MODULE_STATE_GOING. If we use `is_module_text_address()` and `__module_text_address()` separately, there is a chance that the first one is succeeded but the next one is failed because module->state becomes MODULE_STATE_UNFORMED between those operations. In `check_kprobe_address_safe()`, if the second `__module_text_address()` is failed, that is ignored because it expected a kernel_text address. But it may have failed simply because module->state has been changed to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify non-exist module text address (use-after-free). To fix this problem, we should not use separated `is_module_text_address()` and `__module_text_address()`, but use only `__module_text_address()` once and do `try_module_get(module)` which is only available with MODULE_STATE_LIVE.
CVSS3: 8.8
OS | Vendor version | Errata |
---|---|---|
Debian 10 | 4.19.316-1 | DLA-3840-1 |
Debian 10 cloud | 4.19.316-1 | DLA-3840-1 |
Ubuntu 20.04 | 5.4.0-189.209 | USN-6896-1 |
Ubuntu 20.04 AWS | 5.4.0-1128.138 | USN-6896-5 |
Ubuntu 20.04 Azure | 5.4.0-1133.140 | USN-6896-1 |
Ubuntu 16.04 HWE ESM | 4.15.0-228.240~16.04.1 | USN-6972-1 |
Ubuntu 16.04 AWS HWE ESM | 4.15.0-1172.185~16.04.1 | USN-6972-2 |
Ubuntu 16.04 Azure ESM | 4.15.0-1180.195~16.04.1 | USN-6972-3 |
Debian 11 | 5.10.216-1 | DSA-5681-1 |
Ubuntu 22.04 | 5.15.0-116.126 | USN-6898-1 |
Ubuntu 22.04 AWS | 5.15.0-1065.71 | USN-6898-3 |
Ubuntu 22.04 Azure | 5.15.0-1068.77 | USN-6917-1 |
Ubuntu 20.04 HWE Azure | 5.15.0-1068.77~20.04.1 | USN-6917-1 |
Ubuntu 20.04 GCP | 5.4.0-1132.141 | USN-6896-1 |
Ubuntu 24.04 | 6.8.0-38.38 | USN-6893-1 |
OS | Original kernel version | State |
---|---|---|
Debian 10 | |
Planned |
Debian 10 cloud | |
Planned |
Ubuntu 20.04 | |
In Progress |
Ubuntu 20.04 AWS | |
Planned |
Ubuntu 20.04 Azure | |
In Progress |
Ubuntu 16.04 HWE ESM | |
Planned |
Ubuntu 16.04 AWS HWE ESM | |
Planned |
Ubuntu 16.04 Azure ESM | |
Planned |
Debian 11 | |
Planned |
Ubuntu 22.04 | |
Ready For Release |
Ubuntu 22.04 AWS | |
Planned |
Ubuntu 22.04 Azure | |
Planned |
Ubuntu 20.04 HWE Azure | |
Planned |
Ubuntu 20.04 GCP | |
In Progress |
Ubuntu 24.04 | |
Planned |