CVE-2024-35955

HIGH

Linux Kernel - Use-After-Free in Kprobe Registration

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: kprobes: Fix possible use-after-free issue on kprobe registration When unloading a module, its state is changing MODULE_STATE_LIVE -> MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take a time. `is_module_text_address()` and `__module_text_address()` works with MODULE_STATE_LIVE and MODULE_STATE_GOING. If we use `is_module_text_address()` and `__module_text_address()` separately, there is a chance that the first one is succeeded but the next one is failed because module->state becomes MODULE_STATE_UNFORMED between those operations. In `check_kprobe_address_safe()`, if the second `__module_text_address()` is failed, that is ignored because it expected a kernel_text address. But it may have failed simply because module->state has been changed to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify non-exist module text address (use-after-free). To fix this problem, we should not use separated `is_module_text_address()` and `__module_text_address()`, but use only `__module_text_address()` once and do `try_module_get(module)` which is only available with MODULE_STATE_LIVE.

Scores

CVSS v3 8.8
EPSS 0.0117
EPSS Percentile 63.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-416
Status published
Products (38)
debian/debian_linux 10.0
linux/Kernel < 4.19.313linux
linux/Kernel 4.20.0 - 5.4.275linux
linux/Kernel 5.11.0 - 5.15.157linux
linux/Kernel 5.16.0 - 6.1.87linux
linux/Kernel 5.5.0 - 5.10.216linux
linux/Kernel 6.0.0 - 6.6.28linux
linux/Kernel 6.2.0 - 6.8.7linux
Linux/Linux < 6.0
Linux/Linux 16a544f1e013ba0660612f3fe35393b143b19a84
... and 28 more
Published May 20, 2024
Tracked Since Feb 18, 2026