CVE-2022-49721 Information

Mar 01, 2025 cve

Description

In the Linux kernel the following vulnerability has been resolved:

arm64: ftrace: consistently handle PLTs.

Sometimes it is necessary to use a PLT entry to call an ftrace trampoline. This is handled by ftrace_make_call() and ftrace_make_nop() with each having almost identical logic but this is not handled by ftrace_modify_call() since its introduction in commit:

3b23e4991fb66f6d (rm64: implement ftrace with regs)

Due to this if we ever were to call ftrace_modify_call() for a callsite which requires a PLT entry for a trampoline then either:

a) If the old addr requires a trampoline ftrace_modify_call() will use an out-of-range address to generate the ‘old’ branch instruction. This will result in warnings from aarch64_insn_gen_branch_imm() and ftrace_modify_code() and no instructions will be modified. As ftrace_modify_call() will return an error this will result in subsequent internal ftrace errors.

b) If the old addr does not require a trampoline but the new addr does ftrace_modify_call() will use an out-of-range address to generate the ’new’ branch instruction. This will result in warnings from aarch64_insn_gen_branch_imm() and ftrace_modify_code() will replace the ‘old’ branch with a BRK. This will result in a kernel panic when this BRK is later executed.

Practically speaking case (a) is vastly more likely than case (b) and typically this will result in internal ftrace errors that don’t necessarily affect the rest of the system. This can be demonstrated with an out-of-tree test module which triggers ftrace_modify_call() e.g.

| insmod test_ftrace.ko | test_ftrace: Function test_function raw=0xffffb3749399201c callsite=0xffffb37493992024 | branch_imm_common: offset out of range | branch_imm_common: offset out of range | ————[ ftrace bug ]———— | ftrace failed to modify | [] test_function+0x8/0x38 [test_ftrace] | actual: 1d:00:00:94 | Updating ftrace call site to call a different ftrace function | ftrace record flags: e0000002 | (2) R | expected tramp: ffffb374ae42ed54 | ————[ cut here ]———— | WARNING: CPU: 0 PID: 165 at kernel/trace/ftrace.c:2085 ftrace_bug+0x280/0x2b0 | Modules linked in: test_ftrace(+) | CPU: 0 PID: 165 Comm: insmod Not tainted 5.19.0-rc2-00002-g4d9ead8b45ce 13 | Hardware name: linuxdummy-virt (DT) | pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=–) | pc : ftrace_bug+0x280/0x2b0 | lr : ftrace_bug+0x280/0x2b0 | sp : ffff80000839ba00 | x29: ffff80000839ba00 x28: 0000000000000000 x27: ffff80000839bcf0 | x26: ffffb37493994180 x25: ffffb374b0991c28 x24: ffffb374b0d70000 | x23: 00000000ffffffea x22: ffffb374afcc33b0 x21: ffffb374b08f9cc8 | x20: ffff572b8462c000 x19: ffffb374b08f9000 x18: ffffffffffffffff | x17: 6c6c6163202c6331 x16: ffffb374ae5ad110 x15: ffffb374b0d51ee4 | x14: 0000000000000000 x13: 3435646532346561 x12: 3437336266666666 | x11: 203a706d61727420 x10: 6465746365707865 x9 : ffffb374ae5149e8 | x8 : 336266666666203a x7 : 706d617274206465 x6 : 00000000fffff167 | x5 : ffff572bffbc4a08 x4 : 00000000fffff167 x3 : 0000000000000000 | x2 : 0000000000000000 x1 : ffff572b84461e00 x0 : 0000000000000022 | Call trace: | ftrace_bug+0x280/0x2b0 | ftrace_replace_code+0x98/0xa0 | ftrace_modify_all_code+0xe0/0x144 | arch_ftrace_update_code+0x14/0x20 | ftrace_startup+0xf8/0x1b0 | register_ftrace_function+0x38/0x90 | test_ftrace_init+0xd0/0x1000 [test_ftrace] | do_one_initcall+0x50/0x2b0 | do_init_module+0x50/0x1f0 | load_module+0x17c8/0x1d64 | __do_sys_finit_module+0xa8/0x100 | __arm64_sys_finit_module+0x2c/0x3c | invoke_syscall+0x50/0x120 | el0_svc_common.constprop.0+0xdc/0x100 | do_el0_svc+0x3c/0xd0 | el0_svc+0x34/0xb0 | el0t_64_sync_handler+0xbc/0x140 | el0t_64_sync+0x18c/0x190 | —[ end trace 0000000000000000 ]—

We can solve this by consistently determining whether to use a PLT entry for an address.

Note that since (the earlier) commit:

f1a54ae9

truncated—

Reference

https://git.kernel.org/stable/c/a6253579977e4c6f7818eeb05bf2bc65678a7187 https://git.kernel.org/stable/c/bc28fde90937a920f7714ec4408269cac744f796 https://git.kernel.org/stable/c/db73aa9466338ec821ed2a0b01721fe4d06876b1 https://git.kernel.org/stable/c/dcecc96ed16f73417de5550f384e348c9d56f279

Share on: