CVE-2024-43891 (GCVE-0-2024-43891)
Vulnerability from cvelistv5
Published
2024-08-26 10:10
Modified
2025-05-04 09:28
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: tracing: Have format file honor EVENT_FILE_FL_FREED When eventfs was introduced, special care had to be done to coordinate the freeing of the file meta data with the files that are exposed to user space. The file meta data would have a ref count that is set when the file is created and would be decremented and freed after the last user that opened the file closed it. When the file meta data was to be freed, it would set a flag (EVENT_FILE_FL_FREED) to denote that the file is freed, and any new references made (like new opens or reads) would fail as it is marked freed. This allowed other meta data to be freed after this flag was set (under the event_mutex). All the files that were dynamically created in the events directory had a pointer to the file meta data and would call event_release() when the last reference to the user space file was closed. This would be the time that it is safe to free the file meta data. A shortcut was made for the "format" file. It's i_private would point to the "call" entry directly and not point to the file's meta data. This is because all format files are the same for the same "call", so it was thought there was no reason to differentiate them. The other files maintain state (like the "enable", "trigger", etc). But this meant if the file were to disappear, the "format" file would be unaware of it. This caused a race that could be trigger via the user_events test (that would create dynamic events and free them), and running a loop that would read the user_events format files: In one console run: # cd tools/testing/selftests/user_events # while true; do ./ftrace_test; done And in another console run: # cd /sys/kernel/tracing/ # while true; do cat events/user_events/__test_event/format; done 2>/dev/null With KASAN memory checking, it would trigger a use-after-free bug report (which was a real bug). This was because the format file was not checking the file's meta data flag "EVENT_FILE_FL_FREED", so it would access the event that the file meta data pointed to after the event was freed. After inspection, there are other locations that were found to not check the EVENT_FILE_FL_FREED flag when accessing the trace_event_file. Add a new helper function: event_file_file() that will make sure that the event_mutex is held, and will return NULL if the trace_event_file has the EVENT_FILE_FL_FREED flag set. Have the first reference of the struct file pointer use event_file_file() and check for NULL. Later uses can still use the event_file_data() helper function if the event_mutex is still held and was not released since the event_file_file() call.
References
Impacted products
Vendor Product Version
Linux Linux Version: 14aa4f3efc6e784847e8c8543a7ef34ec9bdbb01
Version: b63db58e2fa5d6963db9c45df88e60060f0ff35f
Version: b63db58e2fa5d6963db9c45df88e60060f0ff35f
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-43891",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:29:22.295437Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T17:32:58.118Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace.h",
            "kernel/trace/trace_events.c",
            "kernel/trace/trace_events_hist.c",
            "kernel/trace/trace_events_inject.c",
            "kernel/trace/trace_events_trigger.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4ed03758ddf0b19d69eed69386d65a92d0091e0c",
              "status": "affected",
              "version": "14aa4f3efc6e784847e8c8543a7ef34ec9bdbb01",
              "versionType": "git"
            },
            {
              "lessThan": "531dc6780d94245af037c25c2371c8caf652f0f9",
              "status": "affected",
              "version": "b63db58e2fa5d6963db9c45df88e60060f0ff35f",
              "versionType": "git"
            },
            {
              "lessThan": "b1560408692cd0ab0370cfbe9deb03ce97ab3f6d",
              "status": "affected",
              "version": "b63db58e2fa5d6963db9c45df88e60060f0ff35f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace.h",
            "kernel/trace/trace_events.c",
            "kernel/trace/trace_events_hist.c",
            "kernel/trace/trace_events_inject.c",
            "kernel/trace/trace_events_trigger.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.49",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.49",
                  "versionStartIncluding": "6.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.5",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Have format file honor EVENT_FILE_FL_FREED\n\nWhen eventfs was introduced, special care had to be done to coordinate the\nfreeing of the file meta data with the files that are exposed to user\nspace. The file meta data would have a ref count that is set when the file\nis created and would be decremented and freed after the last user that\nopened the file closed it. When the file meta data was to be freed, it\nwould set a flag (EVENT_FILE_FL_FREED) to denote that the file is freed,\nand any new references made (like new opens or reads) would fail as it is\nmarked freed. This allowed other meta data to be freed after this flag was\nset (under the event_mutex).\n\nAll the files that were dynamically created in the events directory had a\npointer to the file meta data and would call event_release() when the last\nreference to the user space file was closed. This would be the time that it\nis safe to free the file meta data.\n\nA shortcut was made for the \"format\" file. It\u0027s i_private would point to\nthe \"call\" entry directly and not point to the file\u0027s meta data. This is\nbecause all format files are the same for the same \"call\", so it was\nthought there was no reason to differentiate them.  The other files\nmaintain state (like the \"enable\", \"trigger\", etc). But this meant if the\nfile were to disappear, the \"format\" file would be unaware of it.\n\nThis caused a race that could be trigger via the user_events test (that\nwould create dynamic events and free them), and running a loop that would\nread the user_events format files:\n\nIn one console run:\n\n # cd tools/testing/selftests/user_events\n # while true; do ./ftrace_test; done\n\nAnd in another console run:\n\n # cd /sys/kernel/tracing/\n # while true; do cat events/user_events/__test_event/format; done 2\u003e/dev/null\n\nWith KASAN memory checking, it would trigger a use-after-free bug report\n(which was a real bug). This was because the format file was not checking\nthe file\u0027s meta data flag \"EVENT_FILE_FL_FREED\", so it would access the\nevent that the file meta data pointed to after the event was freed.\n\nAfter inspection, there are other locations that were found to not check\nthe EVENT_FILE_FL_FREED flag when accessing the trace_event_file. Add a\nnew helper function: event_file_file() that will make sure that the\nevent_mutex is held, and will return NULL if the trace_event_file has the\nEVENT_FILE_FL_FREED flag set. Have the first reference of the struct file\npointer use event_file_file() and check for NULL. Later uses can still use\nthe event_file_data() helper function if the event_mutex is still held and\nwas not released since the event_file_file() call."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:28:40.451Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4ed03758ddf0b19d69eed69386d65a92d0091e0c"
        },
        {
          "url": "https://git.kernel.org/stable/c/531dc6780d94245af037c25c2371c8caf652f0f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1560408692cd0ab0370cfbe9deb03ce97ab3f6d"
        }
      ],
      "title": "tracing: Have format file honor EVENT_FILE_FL_FREED",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-43891",
    "datePublished": "2024-08-26T10:10:44.790Z",
    "dateReserved": "2024-08-17T09:11:59.290Z",
    "dateUpdated": "2025-05-04T09:28:40.451Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-43891\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-08-26T11:15:04.103\",\"lastModified\":\"2024-09-05T18:46:18.440\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntracing: Have format file honor EVENT_FILE_FL_FREED\\n\\nWhen eventfs was introduced, special care had to be done to coordinate the\\nfreeing of the file meta data with the files that are exposed to user\\nspace. The file meta data would have a ref count that is set when the file\\nis created and would be decremented and freed after the last user that\\nopened the file closed it. When the file meta data was to be freed, it\\nwould set a flag (EVENT_FILE_FL_FREED) to denote that the file is freed,\\nand any new references made (like new opens or reads) would fail as it is\\nmarked freed. This allowed other meta data to be freed after this flag was\\nset (under the event_mutex).\\n\\nAll the files that were dynamically created in the events directory had a\\npointer to the file meta data and would call event_release() when the last\\nreference to the user space file was closed. This would be the time that it\\nis safe to free the file meta data.\\n\\nA shortcut was made for the \\\"format\\\" file. It\u0027s i_private would point to\\nthe \\\"call\\\" entry directly and not point to the file\u0027s meta data. This is\\nbecause all format files are the same for the same \\\"call\\\", so it was\\nthought there was no reason to differentiate them.  The other files\\nmaintain state (like the \\\"enable\\\", \\\"trigger\\\", etc). But this meant if the\\nfile were to disappear, the \\\"format\\\" file would be unaware of it.\\n\\nThis caused a race that could be trigger via the user_events test (that\\nwould create dynamic events and free them), and running a loop that would\\nread the user_events format files:\\n\\nIn one console run:\\n\\n # cd tools/testing/selftests/user_events\\n # while true; do ./ftrace_test; done\\n\\nAnd in another console run:\\n\\n # cd /sys/kernel/tracing/\\n # while true; do cat events/user_events/__test_event/format; done 2\u003e/dev/null\\n\\nWith KASAN memory checking, it would trigger a use-after-free bug report\\n(which was a real bug). This was because the format file was not checking\\nthe file\u0027s meta data flag \\\"EVENT_FILE_FL_FREED\\\", so it would access the\\nevent that the file meta data pointed to after the event was freed.\\n\\nAfter inspection, there are other locations that were found to not check\\nthe EVENT_FILE_FL_FREED flag when accessing the trace_event_file. Add a\\nnew helper function: event_file_file() that will make sure that the\\nevent_mutex is held, and will return NULL if the trace_event_file has the\\nEVENT_FILE_FL_FREED flag set. Have the first reference of the struct file\\npointer use event_file_file() and check for NULL. Later uses can still use\\nthe event_file_data() helper function if the event_mutex is still held and\\nwas not released since the event_file_file() call.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rastreo: Tener formato de archivo honor\u00edfico EVENT_FILE_FL_FREED Cuando se introdujo eventfs, se tuvo que tener especial cuidado para coordinar la liberaci\u00f3n de los metadatos del archivo con los archivos que est\u00e1n expuestos al espacio del usuario. Los metadatos del archivo tendr\u00edan un recuento de referencias que se establece cuando se crea el archivo y se reducir\u00edan y liberar\u00edan despu\u00e9s de que el \u00faltimo usuario que abri\u00f3 el archivo lo cerr\u00f3. Cuando se iban a liberar los metadatos del archivo, se establecer\u00eda un indicador (EVENT_FILE_FL_FREED) para indicar que el archivo est\u00e1 liberado, y cualquier nueva referencia realizada (como nuevas aperturas o lecturas) fallar\u00eda ya que se marca como liberado. Esto permiti\u00f3 liberar otros metadatos despu\u00e9s de establecer este indicador (bajo event_mutex). Todos los archivos que se crearon din\u00e1micamente en el directorio de eventos ten\u00edan un puntero a los metadatos del archivo y llamar\u00edan a event_release() cuando se cerrara la \u00faltima referencia al archivo de espacio de usuario. Este ser\u00eda el momento en el que ser\u00e1 seguro liberar los metadatos del archivo. Se cre\u00f3 un acceso directo para el archivo \\\"formato\\\". Es i_private apuntar\u00eda a la entrada \\\"llamar\\\" directamente y no a los metadatos del archivo. Esto se debe a que todos los archivos de formato son iguales para una misma \\\"llamada\\\", por lo que se pens\u00f3 que no hab\u00eda motivo para diferenciarlos. Los otros archivos mantienen el estado (como \\\"habilitar\\\", \\\"activar\\\", etc.). Pero esto significaba que si el archivo desapareciera, el archivo \\\"formateado\\\" no lo sabr\u00eda. Esto provoc\u00f3 una ejecuci\u00f3n que podr\u00eda desencadenarse a trav\u00e9s de la prueba user_events (que crear\u00eda eventos din\u00e1micos y los liberar\u00eda) y ejecutar un bucle que leer\u00eda los archivos de formato user_events: En una ejecuci\u00f3n de consola: # cd tools/testing/selftests/user_events # si bien es cierto; hacer ./ftrace_test; hecho Y en otra consola ejecute: # cd /sys/kernel/tracing/ # while true; hacer eventos de gato/eventos_usuario/__test_event/formato; done 2\u0026gt;/dev/null Con la comprobaci\u00f3n de memoria de KASAN, se activar\u00eda un informe de error de use-after-free (que era un error real). Esto se deb\u00eda a que el archivo de formato no estaba verificando el indicador de metadatos del archivo \\\"EVENT_FILE_FL_FREED\\\", por lo que acceder\u00eda al evento al que apuntaban los metadatos del archivo despu\u00e9s de que se liberara el evento. Despu\u00e9s de la inspecci\u00f3n, se encontr\u00f3 que hay otras ubicaciones que no marcaban el indicador EVENT_FILE_FL_FREED al acceder a trace_event_file. Agregue una nueva funci\u00f3n auxiliar: event_file_file() que garantizar\u00e1 que event_mutex se mantenga y devolver\u00e1 NULL si trace_event_file tiene establecido el indicador EVENT_FILE_FL_FREED. Haga que la primera referencia del puntero del archivo de estructura use event_file_file() y verifique NULL. Los usos posteriores a\u00fan pueden usar la funci\u00f3n auxiliar event_file_data() si event_mutex a\u00fan se mantiene y no se liber\u00f3 desde la llamada event_file_file().\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.6.33\",\"versionEndExcluding\":\"6.6.49\",\"matchCriteriaId\":\"EF5E99A7-E570-41C0-81D1-35491C9A68B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.9\",\"versionEndExcluding\":\"6.10.5\",\"matchCriteriaId\":\"F07BD0FF-07AF-4DAD-8EB1-09FB50ABDC47\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B3CE743-2126-47A3-8B7C-822B502CF119\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DEB27E7-30AA-45CC-8934-B89263EF3551\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4ed03758ddf0b19d69eed69386d65a92d0091e0c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/531dc6780d94245af037c25c2371c8caf652f0f9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b1560408692cd0ab0370cfbe9deb03ce97ab3f6d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-43891\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T15:29:22.295437Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-11T12:42:12.506Z\"}}], \"cna\": {\"title\": \"tracing: Have format file honor EVENT_FILE_FL_FREED\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"14aa4f3efc6e784847e8c8543a7ef34ec9bdbb01\", \"lessThan\": \"4ed03758ddf0b19d69eed69386d65a92d0091e0c\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b63db58e2fa5d6963db9c45df88e60060f0ff35f\", \"lessThan\": \"531dc6780d94245af037c25c2371c8caf652f0f9\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b63db58e2fa5d6963db9c45df88e60060f0ff35f\", \"lessThan\": \"b1560408692cd0ab0370cfbe9deb03ce97ab3f6d\", \"versionType\": \"git\"}], \"programFiles\": [\"kernel/trace/trace.h\", \"kernel/trace/trace_events.c\", \"kernel/trace/trace_events_hist.c\", \"kernel/trace/trace_events_inject.c\", \"kernel/trace/trace_events_trigger.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.9\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.9\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.6.49\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.10.5\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.10.*\"}, {\"status\": \"unaffected\", \"version\": \"6.11\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"kernel/trace/trace.h\", \"kernel/trace/trace_events.c\", \"kernel/trace/trace_events_hist.c\", \"kernel/trace/trace_events_inject.c\", \"kernel/trace/trace_events_trigger.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/4ed03758ddf0b19d69eed69386d65a92d0091e0c\"}, {\"url\": \"https://git.kernel.org/stable/c/531dc6780d94245af037c25c2371c8caf652f0f9\"}, {\"url\": \"https://git.kernel.org/stable/c/b1560408692cd0ab0370cfbe9deb03ce97ab3f6d\"}], \"x_generator\": {\"engine\": \"bippy-5f407fcff5a0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntracing: Have format file honor EVENT_FILE_FL_FREED\\n\\nWhen eventfs was introduced, special care had to be done to coordinate the\\nfreeing of the file meta data with the files that are exposed to user\\nspace. The file meta data would have a ref count that is set when the file\\nis created and would be decremented and freed after the last user that\\nopened the file closed it. When the file meta data was to be freed, it\\nwould set a flag (EVENT_FILE_FL_FREED) to denote that the file is freed,\\nand any new references made (like new opens or reads) would fail as it is\\nmarked freed. This allowed other meta data to be freed after this flag was\\nset (under the event_mutex).\\n\\nAll the files that were dynamically created in the events directory had a\\npointer to the file meta data and would call event_release() when the last\\nreference to the user space file was closed. This would be the time that it\\nis safe to free the file meta data.\\n\\nA shortcut was made for the \\\"format\\\" file. It\u0027s i_private would point to\\nthe \\\"call\\\" entry directly and not point to the file\u0027s meta data. This is\\nbecause all format files are the same for the same \\\"call\\\", so it was\\nthought there was no reason to differentiate them.  The other files\\nmaintain state (like the \\\"enable\\\", \\\"trigger\\\", etc). But this meant if the\\nfile were to disappear, the \\\"format\\\" file would be unaware of it.\\n\\nThis caused a race that could be trigger via the user_events test (that\\nwould create dynamic events and free them), and running a loop that would\\nread the user_events format files:\\n\\nIn one console run:\\n\\n # cd tools/testing/selftests/user_events\\n # while true; do ./ftrace_test; done\\n\\nAnd in another console run:\\n\\n # cd /sys/kernel/tracing/\\n # while true; do cat events/user_events/__test_event/format; done 2\u003e/dev/null\\n\\nWith KASAN memory checking, it would trigger a use-after-free bug report\\n(which was a real bug). This was because the format file was not checking\\nthe file\u0027s meta data flag \\\"EVENT_FILE_FL_FREED\\\", so it would access the\\nevent that the file meta data pointed to after the event was freed.\\n\\nAfter inspection, there are other locations that were found to not check\\nthe EVENT_FILE_FL_FREED flag when accessing the trace_event_file. Add a\\nnew helper function: event_file_file() that will make sure that the\\nevent_mutex is held, and will return NULL if the trace_event_file has the\\nEVENT_FILE_FL_FREED flag set. Have the first reference of the struct file\\npointer use event_file_file() and check for NULL. Later uses can still use\\nthe event_file_data() helper function if the event_mutex is still held and\\nwas not released since the event_file_file() call.\"}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2024-12-19T09:17:54.838Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-43891\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-19T09:17:54.838Z\", \"dateReserved\": \"2024-08-17T09:11:59.290Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-08-26T10:10:44.790Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.