NVD脆弱性詳細
Exploit、PoC検索
CVE-2024-43891
概要

In the Linux kernel, the following vulnerability has been resolved:

tracing: Have format file honor EVENT_FILE_FL_FREED

When eventfs was introduced, special care had to be done to coordinate the
freeing of the file meta data with the files that are exposed to user
space. The file meta data would have a ref count that is set when the file
is created and would be decremented and freed after the last user that
opened the file closed it. When the file meta data was to be freed, it
would set a flag (EVENT_FILE_FL_FREED) to denote that the file is freed,
and any new references made (like new opens or reads) would fail as it is
marked freed. This allowed other meta data to be freed after this flag was
set (under the event_mutex).

All the files that were dynamically created in the events directory had a
pointer to the file meta data and would call event_release() when the last
reference to the user space file was closed. This would be the time that it
is safe to free the file meta data.

A shortcut was made for the "format" file. It's i_private would point to
the "call" entry directly and not point to the file's meta data. This is
because all format files are the same for the same "call", so it was
thought there was no reason to differentiate them. The other files
maintain state (like the "enable", "trigger", etc). But this meant if the
file were to disappear, the "format" file would be unaware of it.

This caused a race that could be trigger via the user_events test (that
would create dynamic events and free them), and running a loop that would
read the user_events format files:

In one console run:

# cd tools/testing/selftests/user_events
# while true; do ./ftrace_test; done

And in another console run:

# cd /sys/kernel/tracing/
# while true; do cat events/user_events/__test_event/format; done 2>/dev/null

With KASAN memory checking, it would trigger a use-after-free bug report
(which was a real bug). This was because the format file was not checking
the file's meta data flag "EVENT_FILE_FL_FREED", so it would access the
event that the file meta data pointed to after the event was freed.

After inspection, there are other locations that were found to not check
the EVENT_FILE_FL_FREED flag when accessing the trace_event_file. Add a
new helper function: event_file_file() that will make sure that the
event_mutex is held, and will return NULL if the trace_event_file has the
EVENT_FILE_FL_FREED flag set. Have the first reference of the struct file
pointer use event_file_file() and check for NULL. Later uses can still use
the event_file_data() helper function if the event_mutex is still held and
was not released since the event_file_file() call.

公表日 2024年8月26日20:15
登録日 2024年8月27日5:01
最終更新日 2024年9月6日3:46
CVSS3.1 : MEDIUM
スコア 4.7
ベクター CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
攻撃元区分(AV) ローカル
攻撃条件の複雑さ(AC)
攻撃に必要な特権レベル(PR)
利用者の関与(UI) 不要
影響の想定範囲(S) 変更なし
機密性への影響(C) なし
完全性への影響(I) なし
可用性への影響(A)
影響を受けるソフトウェアの構成
構成1 以上 以下 より上 未満
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.9 6.10.5
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.6.33 6.6.49
関連情報、対策とツール
共通脆弱性一覧
JVN脆弱性情報
Linux の Linux Kernel における解放済みメモリの使用に関する脆弱性
タイトル Linux の Linux Kernel における解放済みメモリの使用に関する脆弱性
概要

Linux の Linux Kernel には、解放済みメモリの使用に関する脆弱性が存在します。

想定される影響 サービス運用妨害 (DoS) 状態にされる可能性があります。 
対策

ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日 2024年8月7日0:00
登録日 2024年9月6日18:06
最終更新日 2024年9月6日18:06
影響を受けるシステム
Linux
Linux Kernel 6.11
Linux Kernel 6.6.33 以上 6.6.49 未満
Linux Kernel 6.9 以上 6.10.5 未満
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
ベンダー情報
変更履歴
No 変更内容 変更日
1 [2024年09月06日]
  掲載		 2024年9月6日18:06