In the Linux kernel, the following vulnerability has been resolved:

tracing: Free buffers when a used dynamic event is removed

After 65536 dynamic events have been added and removed, the type field of the event then uses the first type number that is available (not currently used by other events). A type number is the identifier of the binary blobs in the tracing ring buffer (known as events) to map them to logic that can parse the binary blob.

The issue is that if a dynamic event (like a kprobe event) is traced and is in the ring buffer, and then that event is removed (because it is dynamic, which means it can be created and destroyed), if another dynamic event is created that has the same number that new events logic on parsing the binary blob will be used.

To show how this can be an issue, the following can crash the kernel:

cd /sys/kernel/tracing

for i in seq 65536; do

 echo p:kprobes/foo do_sys_openat2 $arg1:u32 > kprobe_events

done

For every iteration of the above, the writing to the kprobe_events will remove the old event and create a new one (with the same format) and increase the type number to the next available on until the type number reaches over 65535 which is the max number for the 16 bit type. After it reaches that number, the logic to allocate a new number simply looks for the next available number. When an dynamic event is removed, that number is then available to be reused by the next dynamic event created. That is, once the above reaches the max number, the number assigned to the event in that loop will remain the same.

Now that means deleting one dynamic event and created another will reuse the previous events type number. This is where bad things can happen. After the above loop finishes, the kprobes/foo event which reads the do_sys_openat2 function calls first parameter as an integer.

echo 1 > kprobes/foo/enable

cat /etc/passwd > /dev/null

cat trace

         cat-2211    [005] ....  2007.849603: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196
         cat-2211    [005] ....  2007.849620: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196
         cat-2211    [005] ....  2007.849838: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196
         cat-2211    [005] ....  2007.849880: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196

echo 0 > kprobes/foo/enable

Now if we delete the kprobe and create a new one that reads a string:

echo p:kprobes/foo do_sys_openat2 +0($arg2):string > kprobe_events

And now we can the trace:

cat trace

    sendmail-1942    [002] .....   530.136320: foo: (do_sys_openat2+0x0/0x240) arg1=             cat-2046    [004] .....   530.930817: foo: (do_sys_openat2+0x0/0x240) arg1=������������������������������������������������������������������������������������������������
         cat-2046    [004] .....   530.930961: foo: (do_sys_openat2+0x0/0x240) arg1=������������������������������������������������������������������������������������������������
         cat-2046    [004] .....   530.934278: foo: (do_sys_openat2+0x0/0x240) arg1=������������������������������������������������������������������������������������������������
         cat-2046    [004] .....   530.934563: foo: (do_sys_openat2+0x0/0x240) arg1=���������������������������������������

—truncated—

Weakness

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Affected Software

Extended Description

The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. The simplest way data corruption may occur involves the system’s reuse of the freed memory. Use-after-free errors have two common and sometimes overlapping causes:

In this scenario, the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process. If the newly allocated data happens to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved.

Potential Mitigations

References

• https://git.kernel.org/stable/c/1603feac154ff38514e8354e3079a455eb4801e2
• https://git.kernel.org/stable/c/417d5ea6e735e5d88ffb6c436cf2938f3f476dd1
• https://git.kernel.org/stable/c/4313e5a613049dfc1819a6dfb5f94cf2caff9452
• https://git.kernel.org/stable/c/be111ebd8868d4b7c041cb3c6102e1ae27d6dc1d
• https://git.kernel.org/stable/c/c52d0c8c4f38f7580cff61c4dfe1034c580cedfd