CVE-2023-53557
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
fprobe: Release rethook after the ftrace_ops is unregistered
While running bpf selftests it's possible to get following fault:
general protection fault, probably for non-canonical address
0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC NOPTI
…
Call Trace:
<TASK>
fprobe_handler+0xc1/0x270
? __pfx_bpf_testmod_init+0x10/0x10
? __pfx_bpf_testmod_init+0x10/0x10
? bpf_fentry_test1+0x5/0x10
? bpf_fentry_test1+0x5/0x10
? bpf_testmod_init+0x22/0x80
? do_one_initcall+0x63/0x2e0
? rcu_is_watching+0xd/0x40
? kmalloc_trace+0xaf/0xc0
? do_init_module+0x60/0x250
? __do_sys_finit_module+0xac/0x120
? do_syscall_64+0x37/0x90
? entry_SYSCALL_64_after_hwframe+0x72/0xdc
</TASK>
In unregister_fprobe function we can't release fp->rethook while it's possible there are some of its users still running on another cpu.
Moving rethook_free call after fp->ops is unregistered with unregister_ftrace_function call.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 5b0ab78998e32564a011b14c4c7f9c81e2d42b9d < ce3ec57faff559ccae1e0150c1f077eb2df648a4 | affected |
| Linux | Linux | 5b0ab78998e32564a011b14c4c7f9c81e2d42b9d < 03d63255a5783243c110aec5e6ae2f1475c3be76 | affected |
| Linux | Linux | 5b0ab78998e32564a011b14c4c7f9c81e2d42b9d < 5f81018753dfd4989e33ece1f0cb6b8aae498b82 | affected |
| Linux | Linux | 5.18 | affected |
| Linux | Linux | 0 < 5.18 | unaffected |
| Linux | Linux | 6.1.40 <= 6.1.* | unaffected |
| Linux | Linux | 6.4.5 <= 6.4.* | unaffected |
| Linux | Linux | 6.5 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/ce3ec57faff559ccae1e0150c1f077eb2df648a4
- https://git.kernel.org/stable/c/03d63255a5783243c110aec5e6ae2f1475c3be76
- https://git.kernel.org/stable/c/5f81018753dfd4989e33ece1f0cb6b8aae498b82
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.