CVE-2024-43891

Medium

In the Linux kernel, the following vulnerability has been resolved: tracing: Have format file honor EVENT_FILE_FL_FREED When eventfs was introduced, special care had to be done to coordinate the freeing of the file meta data with the files that are exposed to user space. The file meta data would have a ref count that is set when the file is created and would be decremented and freed after the last user that opened the file closed it. When the file meta data was to be freed, it would set a flag (EVENT_FILE_FL_FREED) to denote that the file is freed, and any new references made (like new opens or reads) would fail as it is marked freed. This allowed other meta data to be freed after this flag was set (under the event_mutex). All the files that were dynamically created in the events directory had a pointer to the file meta data and would call event_release() when the last reference to the user space file was closed. This would be the time that it is safe to free the file meta data. A shortcut was made for the "format" file. It's i_private would point to the "call" entry directly and not point to the file's meta data. This is because all format files are the same for the same "call", so it was thought there was no reason to differentiate them. The other files maintain state (like the "enable", "trigger", etc). But this meant if the file were to disappear, the "format" file would be unaware of it. This caused a race that could be trigger via the user_events test (that would create dynamic events and free them), and running a loop that would read the user_events format files: In one console run: # cd tools/testing/selftests/user_events # while true; do ./ftrace_test; done And in another console run: # cd /sys/kernel/tracing/ # while true; do cat events/user_events/__test_event/format; done 2>/dev/null With KASAN memory checking, it would trigger a use-after-free bug report (which was a real bug). This was because the format file was not checking the file's meta data flag "EVENT_FILE_FL_FREED", so it would access the event that the file meta data pointed to after the event was freed. After inspection, there are other locations that were found to not check the EVENT_FILE_FL_FREED flag when accessing the trace_event_file. Add a new helper function: event_file_file() that will make sure that the event_mutex is held, and will return NULL if the trace_event_file has the EVENT_FILE_FL_FREED flag set. Have the first reference of the struct file pointer use event_file_file() and check for NULL. Later uses can still use the event_file_data() helper function if the event_mutex is still held and was not released since the event_file_file() call.

Package Linux Kernel
Published 2024-08-26
Last modified 2024-09-05
CVSS version 3.1
Patch available
Yes

CVSS 3.1 score

4.7

out of 10
Medium
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Weakness type

CWE-416

CVE-2024-43891 is a Use After Free vulnerability

What is Use After Free?

The product references memory after it has been freed, which may cause it to crash, use unexpected values, or execute code. Learn more on MITRE CWE

Affected versions

Linux kernel versions 6.6.33, 6.9 and later are affected. Fixed in 6.6.49, 6.10.5, 6.11 and their respective stable series.

Affected from
≥ 6.6.33 ≥ 6.9
Fixed in
✓ 6.6.49 6.6.x ✓ 6.10.5 6.10.x ✓ 6.11

References

The following references provide additional information about CVE-2024-43891 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Frequently asked questions

  • What is CVE-2024-43891?

    CVE-2024-43891 is a Medium severity Linux kernel vulnerability with a CVSS score of 4.7 out of 10 , classified as an Use After Free flaw (CWE-416) . It affects Linux kernel versions from 6.6.33 onward and has been patched in 6.6.49, 6.10.5 and 6.11. CVE-2024-43891 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

  • What is the CVSS score for CVE-2024-43891?

    CVE-2024-43891 has a CVSS score of 4.7 out of 10, rated Medium severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H .

  • Is there a patch available for CVE-2024-43891?

    Yes — CVE-2024-43891 has been patched. Fixed versions include 6.6.49, 6.10.5 and 6.11. If you are running Linux kernel 6.6.33 or later up to the fix versions, apply the relevant patch for your kernel branch.

  • Is CVE-2024-43891 actively exploited?

    No — CVE-2024-43891 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.

  • What is Use After Free (CWE-416)?

    The product references memory after it has been freed, which may cause it to crash, use unexpected values, or execute code. View CWE-416 on MITRE CWE →

Back to
All CVEs
View on
NVD / NIST