CVE-2023-53557

Summary

In the Linux kernel, the following vulnerability has been resolved:

fprobe: Release rethook after the ftrace_ops is unregistered

While running bpf selftests it's possible to get following fault:

general protection fault, probably for non-canonical address
0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC NOPTI … Call Trace: <TASK> fprobe_handler+0xc1/0x270 ? __pfx_bpf_testmod_init+0x10/0x10 ? __pfx_bpf_testmod_init+0x10/0x10 ? bpf_fentry_test1+0x5/0x10 ? bpf_fentry_test1+0x5/0x10 ? bpf_testmod_init+0x22/0x80 ? do_one_initcall+0x63/0x2e0 ? rcu_is_watching+0xd/0x40 ? kmalloc_trace+0xaf/0xc0 ? do_init_module+0x60/0x250 ? __do_sys_finit_module+0xac/0x120 ? do_syscall_64+0x37/0x90 ? entry_SYSCALL_64_after_hwframe+0x72/0xdc </TASK>

In unregister_fprobe function we can't release fp->rethook while it's possible there are some of its users still running on another cpu.

Moving rethook_free call after fp->ops is unregistered with unregister_ftrace_function call.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux5b0ab78998e32564a011b14c4c7f9c81e2d42b9d < ce3ec57faff559ccae1e0150c1f077eb2df648a4affected
LinuxLinux5b0ab78998e32564a011b14c4c7f9c81e2d42b9d < 03d63255a5783243c110aec5e6ae2f1475c3be76affected
LinuxLinux5b0ab78998e32564a011b14c4c7f9c81e2d42b9d < 5f81018753dfd4989e33ece1f0cb6b8aae498b82affected
LinuxLinux5.18affected
LinuxLinux0 < 5.18unaffected
LinuxLinux6.1.40 <= 6.1.*unaffected
LinuxLinux6.4.5 <= 6.4.*unaffected
LinuxLinux6.5 <= *unaffected

Weaknesses

References