In the Linux kernel, the following vulnerability has been resolved:
kprobes: Skip clearing aggrprobe's post_handler in kprobe-on-ftrace case
In _unregisterkprobetop(), if the currently unregistered probe has posthandler but other child probes of the aggrprobe do not have posthandler, the posthandler of the aggrprobe is cleared. If this is a ftrace-based probe, there is a problem. In later calls to disarmkprobe(), we will use kprobeftraceops because posthandler is NULL. But we're armed with kprobeipmodifyops. This triggers a WARN in _disarmkprobe_ftrace() and may even cause use-after-free:
Failed to disarm kprobe-ftrace at kernelclone+0x0/0x3c0 (error -2) WARNING: CPU: 5 PID: 137 at kernel/kprobes.c:1135 _disarmkprobeftrace.isra.21+0xcf/0xe0 Modules linked in: testKprobe007(-) CPU: 5 PID: 137 Comm: rmmod Not tainted 6.1.0-rc4-dirty #18 [...] Call Trace: <TASK> _disablekprobe+0xcd/0xe0 _unregisterkprobetop+0x12/0x150 ? mutexlock+0xe/0x30 unregisterkprobes.part.23+0x31/0xa0 unregisterkprobe+0x32/0x40 _x64sysdeletemodule+0x15e/0x260 ? douseraddrfault+0x2cd/0x6b0 dosyscall64+0x3a/0x90 entrySYSCALL64afterhwframe+0x63/0xcd [...]
For the kprobe-on-ftrace case, we keep the posthandler setting to identify this aggrprobe armed with kprobeipmodify_ops. This way we can disarm it correctly.
{ "vanir_signatures": [ { "signature_version": "v1", "target": { "function": "__unregister_kprobe_top", "file": "kernel/kprobes.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@55788ebbe8b365b4375bd56b4ba7db79d393a370", "deprecated": false, "digest": { "length": 673.0, "function_hash": "272244496657715109581178404618736452107" }, "id": "CVE-2022-49779-055c6ace" }, { "signature_version": "v1", "target": { "file": "kernel/kprobes.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5dd7caf0bdc5d0bae7cf9776b4d739fb09bd5ebb", "deprecated": false, "digest": { "line_hashes": [ "249965616264560359522368221403433956019", "176755142627947314791348134320609403463", "28193015142244056398362276620287205265", "266742659009343814362364862187894020452" ], "threshold": 0.9 }, "id": "CVE-2022-49779-25949cdf" }, { "signature_version": "v1", "target": { "file": "kernel/kprobes.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7b0007b28dd970176f2e297c06ae63eea2447127", "deprecated": false, "digest": { "line_hashes": [ "249965616264560359522368221403433956019", "176755142627947314791348134320609403463", "28193015142244056398362276620287205265", "266742659009343814362364862187894020452" ], "threshold": 0.9 }, "id": "CVE-2022-49779-435ec349" }, { "signature_version": "v1", "target": { "file": "kernel/kprobes.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@55788ebbe8b365b4375bd56b4ba7db79d393a370", "deprecated": false, "digest": { "line_hashes": [ "249965616264560359522368221403433956019", "176755142627947314791348134320609403463", "28193015142244056398362276620287205265", "266742659009343814362364862187894020452" ], "threshold": 0.9 }, "id": "CVE-2022-49779-483e38e5" }, { "signature_version": "v1", "target": { "function": "__unregister_kprobe_top", "file": "kernel/kprobes.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7b0007b28dd970176f2e297c06ae63eea2447127", "deprecated": false, "digest": { "length": 677.0, "function_hash": "339883795467693589871401296385408007403" }, "id": "CVE-2022-49779-50284f6d" }, { "signature_version": "v1", "target": { "file": "kernel/kprobes.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7d606ae1abcc3eab5408e42444d789dc7def51b8", "deprecated": false, "digest": { "line_hashes": [ "249965616264560359522368221403433956019", "176755142627947314791348134320609403463", "28193015142244056398362276620287205265", "266742659009343814362364862187894020452" ], "threshold": 0.9 }, "id": "CVE-2022-49779-503caba9" }, { "signature_version": "v1", "target": { "file": "kernel/kprobes.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c49cc2c059b503e962c2f13a806c105f9b757df4", "deprecated": false, "digest": { "line_hashes": [ "249965616264560359522368221403433956019", "176755142627947314791348134320609403463", "28193015142244056398362276620287205265", "266742659009343814362364862187894020452" ], "threshold": 0.9 }, "id": "CVE-2022-49779-68730a34" }, { "signature_version": "v1", "target": { "function": "__unregister_kprobe_top", "file": "kernel/kprobes.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c49cc2c059b503e962c2f13a806c105f9b757df4", "deprecated": false, "digest": { "length": 673.0, "function_hash": "272244496657715109581178404618736452107" }, "id": "CVE-2022-49779-750a182d" }, { "signature_version": "v1", "target": { "function": "__unregister_kprobe_top", "file": "kernel/kprobes.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7d606ae1abcc3eab5408e42444d789dc7def51b8", "deprecated": false, "digest": { "length": 673.0, "function_hash": "272244496657715109581178404618736452107" }, "id": "CVE-2022-49779-77e0cd56" }, { "signature_version": "v1", "target": { "function": "__unregister_kprobe_top", "file": "kernel/kprobes.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5dd7caf0bdc5d0bae7cf9776b4d739fb09bd5ebb", "deprecated": false, "digest": { "length": 673.0, "function_hash": "272244496657715109581178404618736452107" }, "id": "CVE-2022-49779-83aa7113" } ] }