{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-35955", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-17T13:50:33.136Z", "datePublished": "2024-05-20T09:41:48.607Z", "dateUpdated": "2024-12-19T08:59:01.803Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T08:59:01.803Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes: Fix possible use-after-free issue on kprobe registration\n\nWhen unloading a module, its state is changing MODULE_STATE_LIVE ->\n MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take\na time. `is_module_text_address()` and `__module_text_address()`\nworks with MODULE_STATE_LIVE and MODULE_STATE_GOING.\nIf we use `is_module_text_address()` and `__module_text_address()`\nseparately, there is a chance that the first one is succeeded but the\nnext one is failed because module->state becomes MODULE_STATE_UNFORMED\nbetween those operations.\n\nIn `check_kprobe_address_safe()`, if the second `__module_text_address()`\nis failed, that is ignored because it expected a kernel_text address.\nBut it may have failed simply because module->state has been changed\nto MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify\nnon-exist module text address (use-after-free).\n\nTo fix this problem, we should not use separated `is_module_text_address()`\nand `__module_text_address()`, but use only `__module_text_address()`\nonce and do `try_module_get(module)` which is only available with\nMODULE_STATE_LIVE."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/kprobes.c"], "versions": [{"version": "1c836bad43f3e2ff71cc397a6e6ccb4e7bd116f8", "lessThan": "b5808d40093403334d939e2c3c417144d12a6f33", "status": "affected", "versionType": "git"}, {"version": "6a119c1a584aa7a2c6216458f1f272bf1bc93a93", "lessThan": "93eb31e7c3399e326259f2caa17be1e821f5a412", "status": "affected", "versionType": "git"}, {"version": "2a49b025c36ae749cee7ccc4b7e456e02539cdc3", "lessThan": "5062d1f4f07facbdade0f402d9a04a788f52e26d", "status": "affected", "versionType": "git"}, {"version": "a1edb85e60fdab1e14db63ae8af8db3f0d798fb6", "lessThan": "2df2dd27066cdba8041e46a64362325626bdfb2e", "status": "affected", "versionType": "git"}, {"version": "28f6c37a2910f565b4f5960df52b2eccae28c891", "lessThan": "62029bc9ff2c17a4e3a2478d83418ec575413808", "status": "affected", "versionType": "git"}, {"version": "28f6c37a2910f565b4f5960df52b2eccae28c891", "lessThan": "d15023fb407337028a654237d8968fefdcf87c2f", "status": "affected", "versionType": "git"}, {"version": "28f6c37a2910f565b4f5960df52b2eccae28c891", "lessThan": "36b57c7d2f8b7de224980f1a284432846ad71ca0", "status": "affected", "versionType": "git"}, {"version": "28f6c37a2910f565b4f5960df52b2eccae28c891", "lessThan": "325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/kprobes.c"], "versions": [{"version": "6.0", "status": "affected"}, {"version": "0", "lessThan": "6.0", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.313", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.275", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.216", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.157", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.87", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.28", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.7", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33"}, {"url": "https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412"}, {"url": "https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d"}, {"url": "https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e"}, {"url": "https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808"}, {"url": "https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f"}, {"url": "https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0"}, {"url": "https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8"}], "title": "kprobes: Fix possible use-after-free issue on kprobe registration", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-416", "lang": "en", "description": "CWE-416 Use After Free"}]}], "affected": [{"vendor": "linux", "product": "linux_kernel", "cpes": ["cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1c836bad43f3", "status": "affected", "lessThan": "b5808d400934", "versionType": "git"}, {"version": "6a119c1a584a", "status": "affected", "lessThan": "93eb31e7c339", "versionType": "git"}, {"version": "2a49b025c36a", "status": "affected", "lessThan": "93eb31e7c339", "versionType": "git"}, {"version": "a1edb85e60fd", "status": "affected", "lessThan": "2df2dd27066c", "versionType": "git"}, {"version": "28f6c37a2910", "status": "affected", "lessThan": "62029bc9ff2c", "versionType": "git"}, {"version": "28f6c37a2910", "status": "affected", "lessThan": "d15023fb4073", "versionType": "git"}, {"version": "28f6c37a2910", "status": "affected", "lessThan": "36b57c7d2f8b", "versionType": "git"}, {"version": "28f6c37a2910", "status": "affected", "lessThan": "325f3fb551f8", "versionType": "git"}, {"version": "6.0", "status": "affected"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-05-20T17:42:32.103628Z", "id": "CVE-2024-35955", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-01T13:44:14.513Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:21:48.971Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:21:48.971Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-35955", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-20T17:42:32.103628Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"], "vendor": "linux", "product": "linux_kernel", "versions": [{"status": "affected", "version": "1c836bad43f3", "lessThan": "b5808d400934", "versionType": "git"}, {"status": "affected", "version": "6a119c1a584a", "lessThan": "93eb31e7c339", "versionType": "git"}, {"status": "affected", "version": "2a49b025c36a", "lessThan": "93eb31e7c339", "versionType": "git"}, {"status": "affected", "version": "a1edb85e60fd", "lessThan": "2df2dd27066c", "versionType": "git"}, {"status": "affected", "version": "28f6c37a2910", "lessThan": "62029bc9ff2c", "versionType": "git"}, {"status": "affected", "version": "28f6c37a2910", "lessThan": "d15023fb4073", "versionType": "git"}, {"status": "affected", "version": "28f6c37a2910", "lessThan": "36b57c7d2f8b", "versionType": "git"}, {"status": "affected", "version": "28f6c37a2910", "lessThan": "325f3fb551f8", "versionType": "git"}, {"status": "affected", "version": "6.0"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-20T17:47:26.987Z"}}], "cna": {"title": "kprobes: Fix possible use-after-free issue on kprobe registration", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1c836bad43f3e2ff71cc397a6e6ccb4e7bd116f8", "lessThan": "b5808d40093403334d939e2c3c417144d12a6f33", "versionType": "git"}, {"status": "affected", "version": "6a119c1a584aa7a2c6216458f1f272bf1bc93a93", "lessThan": "93eb31e7c3399e326259f2caa17be1e821f5a412", "versionType": "git"}, {"status": "affected", "version": "2a49b025c36ae749cee7ccc4b7e456e02539cdc3", "lessThan": "5062d1f4f07facbdade0f402d9a04a788f52e26d", "versionType": "git"}, {"status": "affected", "version": "a1edb85e60fdab1e14db63ae8af8db3f0d798fb6", "lessThan": "2df2dd27066cdba8041e46a64362325626bdfb2e", "versionType": "git"}, {"status": "affected", "version": "28f6c37a2910f565b4f5960df52b2eccae28c891", "lessThan": "62029bc9ff2c17a4e3a2478d83418ec575413808", "versionType": "git"}, {"status": "affected", "version": "28f6c37a2910f565b4f5960df52b2eccae28c891", "lessThan": "d15023fb407337028a654237d8968fefdcf87c2f", "versionType": "git"}, {"status": "affected", "version": "28f6c37a2910f565b4f5960df52b2eccae28c891", "lessThan": "36b57c7d2f8b7de224980f1a284432846ad71ca0", "versionType": "git"}, {"status": "affected", "version": "28f6c37a2910f565b4f5960df52b2eccae28c891", "lessThan": "325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8", "versionType": "git"}], "programFiles": ["kernel/kprobes.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.0"}, {"status": "unaffected", "version": "0", "lessThan": "6.0", "versionType": "semver"}, {"status": "unaffected", "version": "4.19.313", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.275", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.216", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.157", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.87", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.28", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.8.7", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["kernel/kprobes.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33"}, {"url": "https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412"}, {"url": "https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d"}, {"url": "https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e"}, {"url": "https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808"}, {"url": "https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f"}, {"url": "https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0"}, {"url": "https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes: Fix possible use-after-free issue on kprobe registration\n\nWhen unloading a module, its state is changing MODULE_STATE_LIVE ->\n MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take\na time. `is_module_text_address()` and `__module_text_address()`\nworks with MODULE_STATE_LIVE and MODULE_STATE_GOING.\nIf we use `is_module_text_address()` and `__module_text_address()`\nseparately, there is a chance that the first one is succeeded but the\nnext one is failed because module->state becomes MODULE_STATE_UNFORMED\nbetween those operations.\n\nIn `check_kprobe_address_safe()`, if the second `__module_text_address()`\nis failed, that is ignored because it expected a kernel_text address.\nBut it may have failed simply because module->state has been changed\nto MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify\nnon-exist module text address (use-after-free).\n\nTo fix this problem, we should not use separated `is_module_text_address()`\nand `__module_text_address()`, but use only `__module_text_address()`\nonce and do `try_module_get(module)` which is only available with\nMODULE_STATE_LIVE."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T08:59:01.803Z"}}}, "cveMetadata": {"cveId": "CVE-2024-35955", "state": "PUBLISHED", "dateUpdated": "2024-12-19T08:59:01.803Z", "dateReserved": "2024-05-17T13:50:33.136Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-20T09:41:48.607Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A5EEFF9-94C9-4B98-B433-9D09A07C3668", "versionEndExcluding": "4.15", "versionStartIncluding": "4.14.291", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5AC59981-14D3-408D-B5A4-D0A17DDB8A23", "versionEndExcluding": "4.19.313", "versionStartIncluding": "4.19.256", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EA3335E7-9267-4C3D-93F8-626223FD0C44", "versionEndExcluding": "5.4.275", "versionStartIncluding": "5.4.211", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7EFD3C1-FFE1-4E51-9321-E0C1C216D7E7", "versionEndExcluding": "5.10.216", "versionStartIncluding": "5.10.137", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7CED2BD-9C9A-489D-81FE-5E249A63D90F", "versionEndExcluding": "5.15.157", "versionStartIncluding": "5.15.61", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B60CAFE2-08C3-461B-B5F8-25BEB0C9853E", "versionEndExcluding": "5.19", "versionStartIncluding": "5.18.18", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FC550D0F-01F1-44D5-B09C-D455B0C23990", "versionEndExcluding": "6.1.87", "versionStartIncluding": "5.19.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D6315B0-B3BA-406C-B0DB-51D9A63753F0", "versionEndExcluding": "6.6.28", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "531BDFB5-EF6A-4707-902E-146368303499", "versionEndExcluding": "6.8.7", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*", "matchCriteriaId": "22BEDD49-2C6D-402D-9DBF-6646F6ECD10B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*", "matchCriteriaId": "DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*", "matchCriteriaId": "52048DDA-FC5A-4363-95A0-A6357B4D7F8C", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes: Fix possible use-after-free issue on kprobe registration\n\nWhen unloading a module, its state is changing MODULE_STATE_LIVE ->\n MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take\na time. `is_module_text_address()` and `__module_text_address()`\nworks with MODULE_STATE_LIVE and MODULE_STATE_GOING.\nIf we use `is_module_text_address()` and `__module_text_address()`\nseparately, there is a chance that the first one is succeeded but the\nnext one is failed because module->state becomes MODULE_STATE_UNFORMED\nbetween those operations.\n\nIn `check_kprobe_address_safe()`, if the second `__module_text_address()`\nis failed, that is ignored because it expected a kernel_text address.\nBut it may have failed simply because module->state has been changed\nto MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify\nnon-exist module text address (use-after-free).\n\nTo fix this problem, we should not use separated `is_module_text_address()`\nand `__module_text_address()`, but use only `__module_text_address()`\nonce and do `try_module_get(module)` which is only available with\nMODULE_STATE_LIVE."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: kprobes: soluciona un posible problema de use after free en el registro de kprobe Al descargar un m\u00f3dulo, su estado cambia MODULE_STATE_LIVE -> MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Cada cambio llevar\u00e1 un tiempo. `is_module_text_address()` y `__module_text_address()` funcionan con MODULE_STATE_LIVE y MODULE_STATE_GOING. Si usamos `is_module_text_address()` y `__module_text_address()` por separado, existe la posibilidad de que el primero tenga \u00e9xito pero el siguiente falle porque module->state se convierte en MODULE_STATE_UNFORMED entre esas operaciones. En `check_kprobe_address_safe()`, si el segundo `__module_text_address()` falla, se ignora porque esperaba una direcci\u00f3n kernel_text. Pero es posible que haya fallado simplemente porque m\u00f3dulo->estado se cambi\u00f3 a MODULE_STATE_UNFORMED. En este caso, arm_kprobe() intentar\u00e1 modificar la direcci\u00f3n de texto del m\u00f3dulo que no existe (use after free). Para solucionar este problema, no debemos usar `is_module_text_address()` y `__module_text_address()` separados, sino usar solo `__module_text_address()` una vez y hacer `try_module_get(module)` que solo est\u00e1 disponible con MODULE_STATE_LIVE."}], "id": "CVE-2024-35955", "lastModified": "2025-04-04T14:23:00.177", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-20T10:15:10.850", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: kprobes: Fix possible use-after-free issue on kprobe registration", "id": "2281931", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2281931"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nkprobes: Fix possible use-after-free issue on kprobe registration\nWhen unloading a module, its state is changing MODULE_STATE_LIVE ->\nMODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take\na time. `is_module_text_address()` and `__module_text_address()`\nworks with MODULE_STATE_LIVE and MODULE_STATE_GOING.\nIf we use `is_module_text_address()` and `__module_text_address()`\nseparately, there is a chance that the first one is succeeded but the\nnext one is failed because module->state becomes MODULE_STATE_UNFORMED\nbetween those operations.\nIn `check_kprobe_address_safe()`, if the second `__module_text_address()`\nis failed, that is ignored because it expected a kernel_text address.\nBut it may have failed simply because module->state has been changed\nto MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify\nnon-exist module text address (use-after-free).\nTo fix this problem, we should not use separated `is_module_text_address()`\nand `__module_text_address()`, but use only `__module_text_address()`\nonce and do `try_module_get(module)` which is only available with\nMODULE_STATE_LIVE.", "A vulnerability was found in the Linux kernel's kprobes functionality, where a use-after-free issue could occur during kprobe registration when unloading a module. The problem arises due to the module's state changing from `MODULE_STATE_LIVE` to `MODULE_STATE_UNFORMED` between two address checks (`is_module_text_address()` and `__module_text_address()`). This can result in a failed address check and the attempt to modify a non-existent module text address, leading to a use-after-free."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-35955", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-35955\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35955\nhttps://lore.kernel.org/linux-cve-announce/2024052018-CVE-2024-35955-2555@gregkh/T"], "statement": "Red Hat Enterprise Linux is not vulnerable to this CVE, as it does not affect the versions or configurations of the Linux kernel used in its distributions.", "threat_severity": "Moderate"}