CVE CyberSecurity Database News

CVE-2024-42096: Linux Kernel Vuln - x86 Stack Games in profile_pc() Resolved

Poster -

A vulnerability in the Linux kernel regarding the x86 platform has been identified and resolved. The vulnerability was discovered in the 'profile_pc()' function, which plays with the stack layout. It has been found that the function makes assumptions based on the stack layout that may not be valid. This blog post will discuss the details of the vulnerability, including the code snippets involved, original references, and exploit details.

Code Snippet and Details

The 'profile_pc()' function is used for timer-based profiling, which is not as relevant nowadays. The function makes assumptions about the stack layout that are only true in the simplest cases, causing issues with KASAN and lock debugging. Here's a snippet of the problematic code (please do not use this code snippet for any malicious purposes):

static unsigned long profile_pc(struct pt_regs *regs)
{
...
    if ((long)regs->flags & (3 << 9))
        address = ((unsigned long *)regs->sp)[1];
    }
...
}

The code tries to account for the time spent in spinlocks to the
caller rather than the spinlock itself. While this concept is supported,
it is not worth the code complexity or the KASAN warnings when no serious
profiling is done using timers.

To fix the issue, the problematic code was removed.

Historical Context

For those interested in the history of this issue, here are some background commits relating to this code:

31679f38d886: Simplify profile_pc on x86-64 (2006)

- ef4512882dbe: x86 - time_32/64.c unify profile_pc (2009)

Notice that the basics of this vulnerability go way back to before the git tree.

You can find further details about this vulnerability in the following sources

1. KASAN unhappiness reported by syzkaller: https://lore.kernel.org/lkml/CA+4M_hQxCP5yMSpPP-bkpk=_NQ1W4ALbBcvac6JDjSFSgC2CsA@mail.gmail.com/
2. Other KASAN unhappiness reports: https://lore.kernel.org/lkml/20190917014336.13642-1-me@mariospr.org/

Exploit Details

Currently, there are no known exploits for this vulnerability. The Linux kernel developers have resolved the issue by simply removing the problematic code, which relied on the stack layout assumptions. This fix prevents any potential exploits in the future based on this vulnerability.

Conclusion

The Linux kernel had a vulnerability in the x86 architecture, which potentially led to profiling issues and KASAN warnings. The profile_pc() function made assumptions based on the stack layout, which were not always valid. It has now been resolved by removing the problematic code. The Linux kernel developers have patched the vulnerability and made the Linux kernel safer for all users.

Timeline

Published on: 07/29/2024 18:15:12 UTC
Last modified on: 12/19/2024 09:12:40 UTC