CVE-2024-43891

一、漏洞信息
 漏洞编号：[CVE-2024-43891](https://nvd.nist.gov/vuln/detail/CVE-2024-43891)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0,6.6.0
 CVSS V3.0分值：
  BaseScore：4.7 Medium
  Vector：CVSS：3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:tracing: Have format file honor EVENT_FILE_FL_FREEDWhen eventfs was introduced, special care had to be done to coordinate thefreeing of the file meta data with the files that are exposed to userspace. The file meta data would have a ref count that is set when the fileis created and would be decremented and freed after the last user thatopened the file closed it. When the file meta data was to be freed, itwould set a flag (EVENT_FILE_FL_FREED) to denote that the file is freed,and any new references made (like new opens or reads) would fail as it ismarked freed. This allowed other meta data to be freed after this flag wasset (under the event_mutex).All the files that were dynamically created in the events directory had apointer to the file meta data and would call event_release() when the lastreference to the user space file was closed. This would be the time that itis safe to free the file meta data.A shortcut was made for the  format  file. It s i_private would point tothe  call  entry directly and not point to the file s meta data. This isbecause all format files are the same for the same  call , so it wasthought there was no reason to differentiate them.  The other filesmaintain state (like the  enable ,  trigger , etc). But this meant if thefile were to disappear, the  format  file would be unaware of it.This caused a race that could be trigger via the user_events test (thatwould create dynamic events and free them), and running a loop that wouldread the user_events format files:In one console run: # cd tools/testing/selftests/user_events # while true; do ./ftrace_test; doneAnd in another console run: # cd /sys/kernel/tracing/ # while true; do cat events/user_events/__test_event/format; done 2>/dev/nullWith KASAN memory checking, it would trigger a use-after-free bug report(which was a real bug). This was because the format file was not checkingthe file s meta data flag  EVENT_FILE_FL_FREED , so it would access theevent that the file meta data pointed to after the event was freed.After inspection, there are other locations that were found to not checkthe EVENT_FILE_FL_FREED flag when accessing the trace_event_file. Add anew helper function: event_file_file() that will make sure that theevent_mutex is held, and will return NULL if the trace_event_file has theEVENT_FILE_FL_FREED flag set. Have the first reference of the struct filepointer use event_file_file() and check for NULL. Later uses can still usethe event_file_data() helper function if the event_mutex is still held andwas not released since the event_file_file() call.
 漏洞公开时间：2024-08-26 19:15:04
 漏洞创建时间：2024-08-27 01:13:00
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2024-43891
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/4ed03758ddf0b19d69eed69386d65a92d0091e0c |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/531dc6780d94245af037c25c2371c8caf652f0f9 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/b1560408692cd0ab0370cfbe9deb03ce97ab3f6d |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-43891 | https://bugzilla.suse.com/show_bug.cgi?id=1229762 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2024-43891 | https://bugzilla.suse.com/show_bug.cgi?id=1229762 |
| suse_bugzilla | https://git.kernel.org/stable/c/531dc6780d94245af037c25c2371c8caf652f0f9 | https://bugzilla.suse.com/show_bug.cgi?id=1229762 |
| suse_bugzilla | https://git.kernel.org/stable/c/b1560408692cd0ab0370cfbe9deb03ce97ab3f6d | https://bugzilla.suse.com/show_bug.cgi?id=1229762 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-43891.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1229762 |
| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2024082603-CVE-2024-43891-a69d@gregkh/T | https://bugzilla.redhat.com/show_bug.cgi?id=2307864 |
| ubuntu | https://www.cve.org/CVERecord?id=CVE-2024-43891 | https://ubuntu.com/security/CVE-2024-43891 |
| ubuntu | https://git.kernel.org/linus/b1560408692cd0ab0370cfbe9deb03ce97ab3f6d (6.11-rc3) | https://ubuntu.com/security/CVE-2024-43891 |
| ubuntu | https://git.kernel.org/stable/c/531dc6780d94245af037c25c2371c8caf652f0f9 | https://ubuntu.com/security/CVE-2024-43891 |
| ubuntu | https://git.kernel.org/stable/c/b1560408692cd0ab0370cfbe9deb03ce97ab3f6d | https://ubuntu.com/security/CVE-2024-43891 |
| ubuntu | https://nvd.nist.gov/vuln/detail/CVE-2024-43891 | https://ubuntu.com/security/CVE-2024-43891 |
| ubuntu | https://launchpad.net/bugs/cve/CVE-2024-43891 | https://ubuntu.com/security/CVE-2024-43891 |
| ubuntu | https://security-tracker.debian.org/tracker/CVE-2024-43891 | https://ubuntu.com/security/CVE-2024-43891 |
| debian |  | https://security-tracker.debian.org/tracker/CVE-2024-43891 |
| anolis |  | https://anas.openanolis.cn/cves/detail/CVE-2024-43891 |
| amazon_linux_explore | https://access.redhat.com/security/cve/CVE-2024-43891 | https://explore.alas.aws.amazon.com/CVE-2024-43891.html |
| amazon_linux_explore | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43891 | https://explore.alas.aws.amazon.com/CVE-2024-43891.html |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
|  |  | https://git.kernel.org/stable/c/4ed03758ddf0b19d69eed69386d65a92d0091e0c |  | nvd |
|  |  | https://git.kernel.org/stable/c/531dc6780d94245af037c25c2371c8caf652f0f9 |  | nvd |
|  |  | https://git.kernel.org/stable/c/b1560408692cd0ab0370cfbe9deb03ce97ab3f6d |  | nvd |
| linux |  | https://git.kernel.org/linus/b1560408692cd0ab0370cfbe9deb03ce97ab3f6d | https://git.kernel.org/linus/b63db58e2fa5d6963db9c45df88e60060f0ff35f | ubuntu |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
  In the Linux kernel, the following vulnerability has been resolved:tracing: Have format file honor EVENT_FILE_FL_FREEDWhen eventfs was introduced, special care had to be done to coordinate thefreeing of the file meta data with the files that are exposed to userspace. The file meta data would have a ref count that is set when the fileis created and would be decremented and freed after the last user thatopened the file closed it. When the file meta data was to be freed, itwould set a flag (EVENT_FILE_FL_FREED) to denote that the file is freed,and any new references made (like new opens or reads) would fail as it ismarked freed. This allowed other meta data to be freed after this flag wasset (under the event_mutex).All the files that were dynamically created in the events directory had apointer to the file meta data and would call event_release() when the lastreference to the user space file was closed. This would be the time that itis safe to free the file meta data.A shortcut was made for the  format  file. It s i_private would point tothe  call  entry directly and not point to the file s meta data. This isbecause all format files are the same for the same  call , so it wasthought there was no reason to differentiate them.  The other filesmaintain state (like the  enable ,  trigger , etc). But this meant if thefile were to disappear, the  format  file would be unaware of it.This caused a race that could be trigger via the user_events test (thatwould create dynamic events and free them), and running a loop that wouldread the user_events format files:In one console run: # cd tools/testing/selftests/user_events # while true; do ./ftrace_test; doneAnd in another console run: # cd /sys/kernel/tracing/ # while true; do cat events/user_events/__test_event/format; done 2>/dev/nullWith KASAN memory checking, it would trigger a use-after-free bug report(which was a real bug). This was because the format file was not checkingthe file s meta data flag  EVENT_FILE_FL_FREED , so it would access theevent that the file meta data pointed to after the event was freed.After inspection, there are other locations that were found to not checkthe EVENT_FILE_FL_FREED flag when accessing the trace_event_file. Add anew helper function: event_file_file() that will make sure that theevent_mutex is held, and will return NULL if the trace_event_file has theEVENT_FILE_FL_FREED flag set. Have the first reference of the struct filepointer use event_file_file() and check for NULL. Later uses can still usethe event_file_data() helper function if the event_mutex is still held andwas not released since the event_file_file() call.
 openEuler评分：
  4.7
 Vector：CVSS：3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
 受影响版本排查(受影响/不受影响)：
  1.openEuler-24.03-LTS(6.6.0):受影响
2.openEuler-20.03-LTS-SP4(4.19.90):不受影响
3.openEuler-22.03-LTS-SP1(5.10.0):不受影响
4.openEuler-22.03-LTS-SP3(5.10.0):不受影响
5.openEuler-22.03-LTS-SP4(5.10.0):不受影响
6.master(6.6.0):不受影响
7.openEuler-24.03-LTS-Next(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.openEuler-20.03-LTS-SP4(4.19.90):否
2.openEuler-22.03-LTS-SP1(5.10.0):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.master(6.6.0):否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-22.03-LTS-SP4(5.10.0):否

src-openEuler/kernel
Closed

Content Risk Flag

Comments (13)

src-openEuler/kernelClosed .gitee-modal { width: 500px !important; }

Content Risk Flag

CVE-2024-43891

Comments (13)

Search

src-openEuler/kernel
Closed