| Message ID | 20241025134233.2839659-1-koichiro.den@canonical.com |
|---|---|
| Headers | show
Return-Path: <kernel-team-bounces@lists.ubuntu.com> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XZkWM47b7z1xwy for <incoming@patchwork.ozlabs.org>; Sat, 26 Oct 2024 00:43:11 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from <kernel-team-bounces@lists.ubuntu.com>) id 1t4Kal-0000N8-81; Fri, 25 Oct 2024 13:43:03 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from <koichiro.den@canonical.com>) id 1t4Kai-0000MT-Nn for kernel-team@lists.ubuntu.com; Fri, 25 Oct 2024 13:43:00 +0000 Received: from mail-pj1-f70.google.com (mail-pj1-f70.google.com [209.85.216.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 5903E40F90 for <kernel-team@lists.ubuntu.com>; Fri, 25 Oct 2024 13:43:00 +0000 (UTC) Received: by mail-pj1-f70.google.com with SMTP id 98e67ed59e1d1-2e2e146c77cso2539711a91.3 for <kernel-team@lists.ubuntu.com>; Fri, 25 Oct 2024 06:43:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729863779; x=1730468579; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=RYb1bDE+FV25TRnd+rLLI49rzh8RnHD1rDlk5ZC7nU4=; b=iGWtUuv5KSCX8syL3RuYoae7lkS9Hh+heJ4UDpz3QmMzK1S4T2Jb3d+a1KCcEcNL31 aKUpoNCajDJeuVby8rDtX3M9+nKJH4Is/Z9iu2tT4lg3tqdvvyzXtbdO1jOk9osVuIQ7 6XBUn/atRaLRiyKdph9M4eV99leQ5S4EzHTmDhUDrdiDkEewiO2Be3pdaelsalMSiwB3 6Ws3/JRffNV+mvUKY/Z1nAM4JrAEr6nbqfeQh+KCJKQ/CKOIyoWDxGebun5zog4eeAjL FIJPds+v5rRqvAQqQIoJnE5cJLm4dakoop7R4w4Ji36CyWDkIji5Dm4+LHgsAzyItNW2 VZBg== X-Gm-Message-State: AOJu0YzbZV50k2I8a22UpX6Bj6zjMrECIz5tKzkvIEpGjBxrtPFFilPm eJeGo/6feglW3pVInv6Vfvtd3YBvWf8oT+CYTyyhv9fA9pAqHVkZldVMfDjHJptBVRoI13I5xRn jyo+1kVqFhRN/CsqsmpB9Tp/x3ozRXD1sV0guNrWKT7eYUXiE17R6qt2PlqR8LZfNTxYIV90uD7 PiaqSsvQtXzg== X-Received: by 2002:a17:90b:4b4b:b0:2e2:c14c:9c63 with SMTP id 98e67ed59e1d1-2e76b70b91amr8017387a91.40.1729863778772; Fri, 25 Oct 2024 06:42:58 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHUncueumUDLA33YofDk+ayTJ6XwBZApZQnCYKpWWAB9kjQ1iGAYNj1ecHPJ3MgUP3NZdrgZA== X-Received: by 2002:a17:90b:4b4b:b0:2e2:c14c:9c63 with SMTP id 98e67ed59e1d1-2e76b70b91amr8017369a91.40.1729863778302; Fri, 25 Oct 2024 06:42:58 -0700 (PDT) Received: from localhost.localdomain ([240f:74:7be:1:9b52:57a4:8bdb:99d3]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2e8e3572efbsm1418828a91.22.2024.10.25.06.42.57 for <kernel-team@lists.ubuntu.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Oct 2024 06:42:58 -0700 (PDT) From: Koichiro Den <koichiro.den@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH v2 0/3] CVE-2024-38588 Date: Fri, 25 Oct 2024 22:42:27 +0900 Message-ID: <20241025134233.2839659-1-koichiro.den@canonical.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com> List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>, <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe> List-Archive: <https://lists.ubuntu.com/archives/kernel-team> List-Post: <mailto:kernel-team@lists.ubuntu.com> List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help> List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>, <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com> |
| Series | CVE-2024-38588 | expand |
[Impact] ftrace: Fix possible use-after-free issue in ftrace_location() KASAN reports a bug: BUG: KASAN: use-after-free in ftrace_location+0x90/0x120 Read of size 8 at addr ffff888141d40010 by task insmod/424 CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+ [...] Call Trace: <TASK> dump_stack_lvl+0x68/0xa0 print_report+0xcf/0x610 kasan_report+0xb5/0xe0 ftrace_location+0x90/0x120 register_kprobe+0x14b/0xa40 kprobe_init+0x2d/0xff0 [kprobe_example] do_one_initcall+0x8f/0x2d0 do_init_module+0x13a/0x3c0 load_module+0x3082/0x33d0 init_module_from_file+0xd2/0x130 __x64_sys_finit_module+0x306/0x440 do_syscall_64+0x68/0x140 entry_SYSCALL_64_after_hwframe+0x71/0x79 The root cause is that, in lookup_rec(), ftrace record of some address is being searched in ftrace pages of some module, but those ftrace pages at the same time is being freed in ftrace_release_mod() as the corresponding module is being deleted: CPU1 | CPU2 register_kprobes() { | delete_module() { check_kprobe_address_safe() { | arch_check_ftrace_location() { | ftrace_location() { | lookup_rec() // USE! | ftrace_release_mod() // Free! To fix this issue: 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range(); 2. Use ftrace_location_range() instead of lookup_rec() in ftrace_location(); 3. Call synchronize_rcu() before freeing any ftrace pages both in ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem(). [Fix] Noble: fixed via stable Jammy: fixed via stable Focal: Backport - multiple prerequisite commits and context adjustments Bionic: fix sent to esm ML Xenial: fix sent to esm ML Trusty: won't fix [Test Case] Compile and boot tested. Stress tested the code path this backport fixes by the following simple script on my local amd64 kvm instance. -----------8<----------- #!/bin/bash ( cd /sys/kernel/debug/tracing while :; do echo 'p:probe/ptp_kvm_gettime ptp_kvm_gettime' > ./kprobe_events 2>/dev/null echo > ./kprobe_events done )& P1=$! ( while :; do modprobe ptp_kvm sleep 0.00$(( ( RANDOM % 10 ) )) modprobe -r ptp_kvm done )& P2=$! taskset -cp 1 $P1 taskset -cp 2 $P2 while :; do dmesg -c | grep -A100 'BUG: KASAN' if [ $? -eq 0 ]; then kill $P1 $P2 wait exit fi sleep 1 done -----------8<----------- [Where problems could occur] The primary fix affects those who use kprobes, especially when creating an event which leads to ftrace based optimization. Even though the fix itself is unlikely to introduce any regression as it's confined to the sync issue, the multiple prerequisite commits for the fix touch ftrace infrastructures, thus an issue with those would be visible to the user via unpredicted system behavior or a system crash when directly using any ftrace features. [Notes] v2: - updated cover letter Artem Savkov (1): ftrace: Return the first found result in lookup_rec() Steven Rostedt (VMware) (1): ftrace: Separate out functionality from ftrace_location_range() Zheng Yejian (1): ftrace: Fix possible use-after-free issue in ftrace_location() kernel/trace/ftrace.c | 64 ++++++++++++++++++++++++++++--------------- 1 file changed, 42 insertions(+), 22 deletions(-)