CVE-2023-54211

Summary

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix warning in trace_buffered_event_disable()

Warning happened in trace_buffered_event_disable() at WARN_ON_ONCE(!trace_buffered_event_ref)

Call Trace: ? __warn+0xa5/0x1b0 ? trace_buffered_event_disable+0x189/0x1b0 __ftrace_event_enable_disable+0x19e/0x3e0 free_probe_data+0x3b/0xa0 unregister_ftrace_function_probe_func+0x6b8/0x800 event_enable_func+0x2f0/0x3d0 ftrace_process_regex.isra.0+0x12d/0x1b0 ftrace_filter_write+0xe6/0x140 vfs_write+0x1c9/0x6f0 […]

The cause of the warning is in __ftrace_event_enable_disable(), trace_buffered_event_enable() was called once while trace_buffered_event_disable() was called twice. Reproduction script show as below, for analysis, see the comments:

#!/bin/bash

cd /sys/kernel/tracing/

# 1. Register a 'disable_event' command, then:
#    1) SOFT_DISABLED_BIT was set;
#    2) trace_buffered_event_enable() was called first time;
echo 'cmdline_proc_show:disable_event:initcall:initcall_finish' > \
    set_ftrace_filter

# 2. Enable the event registered, then:
#    1) SOFT_DISABLED_BIT was cleared;
#    2) trace_buffered_event_disable() was called first time;
echo 1 > events/initcall/initcall_finish/enable

# 3. Try to call into cmdline_proc_show(), then SOFT_DISABLED_BIT was
#    set again!!!
cat /proc/cmdline

# 4. Unregister the 'disable_event' command, then:
#    1) SOFT_DISABLED_BIT was cleared again;
#    2) trace_buffered_event_disable() was called second time!!!
echo '!cmdline_proc_show:disable_event:initcall:initcall_finish' > \
    set_ftrace_filter

To fix it, IIUC, we can change to call trace_buffered_event_enable() at fist time soft-mode enabled, and call trace_buffered_event_disable() at last time soft-mode disabled.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9 < 1488d782c9e43087a3f341b8186cd25f3cf75583affected
LinuxLinux0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9 < b4f4ab423107dc1ba8e9cc6488c645be6403d3f5affected
LinuxLinux0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9 < cdcc35e6454133feb61561b4e0d0c80e52cbc2baaffected
LinuxLinux0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9 < a6d2fd1703cdc8ecfc3e73987e0fb7474ae2b074affected
LinuxLinux0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9 < 813cede7b2f5a4b1b75d2d4bb4e705cc8e063b20affected
LinuxLinux0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9 < a3a3c7bddab9b6c5690b20796ef5e332b8c48afbaffected
LinuxLinux0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9 < 528c9d73153754defb748f0b96ad33308668d817affected
LinuxLinux0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9 < dea499781a1150d285c62b26659f62fb00824fceaffected
LinuxLinux4.7affected
LinuxLinux0 < 4.7unaffected
LinuxLinux4.14.322 <= 4.14.*unaffected
LinuxLinux4.19.291 <= 4.19.*unaffected
LinuxLinux5.4.253 <= 5.4.*unaffected
LinuxLinux5.10.190 <= 5.10.*unaffected
LinuxLinux5.15.124 <= 5.15.*unaffected
LinuxLinux6.1.43 <= 6.1.*unaffected
LinuxLinux6.4.8 <= 6.4.*unaffected
LinuxLinux6.5 <= *unaffected

Weaknesses

References