CVE-2024-35955

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-35955
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35955.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-35955
Downstream
Related
Published
2024-05-20T09:41:48.607Z
Modified
2026-03-23T05:06:06.592129621Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
kprobes: Fix possible use-after-free issue on kprobe registration
Details

In the Linux kernel, the following vulnerability has been resolved:

kprobes: Fix possible use-after-free issue on kprobe registration

When unloading a module, its state is changing MODULESTATELIVE -> MODULESTATEGOING -> MODULESTATEUNFORMED. Each change will take a time. is_module_text_address() and __module_text_address() works with MODULESTATELIVE and MODULESTATEGOING. If we use is_module_text_address() and __module_text_address() separately, there is a chance that the first one is succeeded but the next one is failed because module->state becomes MODULESTATEUNFORMED between those operations.

In check_kprobe_address_safe(), if the second __module_text_address() is failed, that is ignored because it expected a kerneltext address. But it may have failed simply because module->state has been changed to MODULESTATEUNFORMED. In this case, armkprobe() will try to modify non-exist module text address (use-after-free).

To fix this problem, we should not use separated is_module_text_address() and __module_text_address(), but use only __module_text_address() once and do try_module_get(module) which is only available with MODULESTATELIVE.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35955.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1c836bad43f3e2ff71cc397a6e6ccb4e7bd116f8
Fixed
b5808d40093403334d939e2c3c417144d12a6f33
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6a119c1a584aa7a2c6216458f1f272bf1bc93a93
Fixed
93eb31e7c3399e326259f2caa17be1e821f5a412
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2a49b025c36ae749cee7ccc4b7e456e02539cdc3
Fixed
5062d1f4f07facbdade0f402d9a04a788f52e26d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a1edb85e60fdab1e14db63ae8af8db3f0d798fb6
Fixed
2df2dd27066cdba8041e46a64362325626bdfb2e
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
28f6c37a2910f565b4f5960df52b2eccae28c891
Fixed
62029bc9ff2c17a4e3a2478d83418ec575413808
Fixed
d15023fb407337028a654237d8968fefdcf87c2f
Fixed
36b57c7d2f8b7de224980f1a284432846ad71ca0
Fixed
325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
4262b6eb057d86c7829168c541654fe0d48fdac8
Last affected
97e813e6a143edf4208e15c72199c495ed80cea5
Last affected
16a544f1e013ba0660612f3fe35393b143b19a84

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35955.json"