CVE-2022-49721

Sometimes it is necessary to use a PLT entry to call an ftrace trampoline. This is handled by ftracemakecall() and ftracemakenop(), with each having almost identical logic, but this is not handled by ftracemodifycall() since its introduction in commit:

3b23e4991fb66f6d ("arm64: implement ftrace with regs")

Due to this, if we ever were to call ftracemodifycall() for a callsite which requires a PLT entry for a trampoline, then either:

a) If the old addr requires a trampoline, ftracemodifycall() will use an out-of-range address to generate the 'old' branch instruction. This will result in warnings from aarch64insngenbranchimm() and ftracemodifycode(), and no instructions will be modified. As ftracemodifycall() will return an error, this will result in subsequent internal ftrace errors.

b) If the old addr does not require a trampoline, but the new addr does, ftracemodifycall() will use an out-of-range address to generate the 'new' branch instruction. This will result in warnings from aarch64insngenbranchimm(), and ftracemodifycode() will replace the 'old' branch with a BRK. This will result in a kernel panic when this BRK is later executed.

Practically speaking, case (a) is vastly more likely than case (b), and typically this will result in internal ftrace errors that don't necessarily affect the rest of the system. This can be demonstrated with an out-of-tree test module which triggers ftracemodifycall(), e.g.

| # insmod testftrace.ko | testftrace: Function testfunction raw=0xffffb3749399201c, callsite=0xffffb37493992024 | branchimmcommon: offset out of range | branchimmcommon: offset out of range | ------------[ ftrace bug ]------------ | ftrace failed to modify | [<ffffb37493992024>] testfunction+0x8/0x38 [testftrace] | actual: 1d:00:00:94 | Updating ftrace call site to call a different ftrace function | ftrace record flags: e0000002 | (2) R | expected tramp: ffffb374ae42ed54 | ------------[ cut here ]------------ | WARNING: CPU: 0 PID: 165 at kernel/trace/ftrace.c:2085 ftracebug+0x280/0x2b0 | Modules linked in: testftrace(+) | CPU: 0 PID: 165 Comm: insmod Not tainted 5.19.0-rc2-00002-g4d9ead8b45ce #13 | Hardware name: linux,dummy-virt (DT) | pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : ftracebug+0x280/0x2b0 | lr : ftracebug+0x280/0x2b0 | sp : ffff80000839ba00 | x29: ffff80000839ba00 x28: 0000000000000000 x27: ffff80000839bcf0 | x26: ffffb37493994180 x25: ffffb374b0991c28 x24: ffffb374b0d70000 | x23: 00000000ffffffea x22: ffffb374afcc33b0 x21: ffffb374b08f9cc8 | x20: ffff572b8462c000 x19: ffffb374b08f9000 x18: ffffffffffffffff | x17: 6c6c6163202c6331 x16: ffffb374ae5ad110 x15: ffffb374b0d51ee4 | x14: 0000000000000000 x13: 3435646532346561 x12: 3437336266666666 | x11: 203a706d61727420 x10: 6465746365707865 x9 : ffffb374ae5149e8 | x8 : 336266666666203a x7 : 706d617274206465 x6 : 00000000fffff167 | x5 : ffff572bffbc4a08 x4 : 00000000fffff167 x3 : 0000000000000000 | x2 : 0000000000000000 x1 : ffff572b84461e00 x0 : 0000000000000022 | Call trace: | ftracebug+0x280/0x2b0 | ftracereplacecode+0x98/0xa0 | ftracemodifyallcode+0xe0/0x144 | archftraceupdatecode+0x14/0x20 | ftracestartup+0xf8/0x1b0 | registerftracefunction+0x38/0x90 | testftraceinit+0xd0/0x1000 [testftrace] | dooneinitcall+0x50/0x2b0 | doinitmodule+0x50/0x1f0 | loadmodule+0x17c8/0x1d64 | _dosysfinitmodule+0xa8/0x100 | _arm64sysfinitmodule+0x2c/0x3c | invokesyscall+0x50/0x120 | el0svccommon.constprop.0+0xdc/0x100 | doel0svc+0x3c/0xd0 | el0svc+0x34/0xb0 | el0t64synchandler+0xbc/0x140 | el0t64sync+0x18c/0x190 | ---[ end trace 0000000000000000 ]---

We can solve this by consistently determining whether to use a PLT entry for an address.

Note that since (the earlier) commit:

f1a54ae9 ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

3b23e4991fb66f6d152f9055ede271a726ef9f21

Fixed

bc28fde90937a920f7714ec4408269cac744f796

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

3b23e4991fb66f6d152f9055ede271a726ef9f21

Fixed

db73aa9466338ec821ed2a0b01721fe4d06876b1

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

3b23e4991fb66f6d152f9055ede271a726ef9f21

Fixed

dcecc96ed16f73417de5550f384e348c9d56f279

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

3b23e4991fb66f6d152f9055ede271a726ef9f21

Fixed

a6253579977e4c6f7818eeb05bf2bc65678a7187

Affected versions

v5.*

v5.10

v5.10-rc1

v5.10-rc2

v5.10-rc3

v5.10-rc4

v5.10-rc5

v5.10-rc6

v5.10-rc7

v5.10.1

v5.10.10

v5.10.100

v5.10.101

v5.10.102

v5.10.103

v5.10.104

v5.10.105

v5.10.106

v5.10.107

v5.10.108

v5.10.109

v5.10.11

v5.10.110

v5.10.111

v5.10.112

v5.10.113

v5.10.114

v5.10.115

v5.10.116

v5.10.117

v5.10.118

v5.10.119

v5.10.12

v5.10.120

v5.10.121

v5.10.122

v5.10.123

v5.10.13

v5.10.14

v5.10.15

v5.10.16

v5.10.17

v5.10.18

v5.10.19

v5.10.2

v5.10.20

v5.10.21

v5.10.22

v5.10.23

v5.10.24

v5.10.25

v5.10.26

v5.10.27

v5.10.28

v5.10.29

v5.10.3

v5.10.30

v5.10.31

v5.10.32

v5.10.33

v5.10.34

v5.10.35

v5.10.36

v5.10.37

v5.10.38

v5.10.39

v5.10.4

v5.10.40

v5.10.41

v5.10.42

v5.10.43

v5.10.44

v5.10.45

v5.10.46

v5.10.47

v5.10.48

v5.10.49

v5.10.5

v5.10.50

v5.10.51

v5.10.52

v5.10.53

v5.10.54

v5.10.55

v5.10.56

v5.10.57

v5.10.58

v5.10.59

v5.10.6

v5.10.60

v5.10.61

v5.10.62

v5.10.63

v5.10.64

v5.10.65

v5.10.66

v5.10.67

v5.10.68

v5.10.69

v5.10.7

v5.10.70

v5.10.71

v5.10.72

v5.10.73

v5.10.74

v5.10.75

v5.10.76

v5.10.77

v5.10.78

v5.10.79

v5.10.8

v5.10.80

v5.10.81

v5.10.82

v5.10.83

v5.10.84

v5.10.85

v5.10.86

v5.10.87

v5.10.88

v5.10.89

v5.10.9

v5.10.90

v5.10.91

v5.10.92

v5.10.93

v5.10.94

v5.10.95

v5.10.96

v5.10.97

v5.10.98

v5.10.99

v5.11

v5.11-rc1

v5.11-rc2

v5.11-rc3

v5.11-rc4

v5.11-rc5

v5.11-rc6

v5.11-rc7

v5.12

v5.12-rc1

v5.12-rc1-dontuse

v5.12-rc2

v5.12-rc3

v5.12-rc4

v5.12-rc5

v5.12-rc6

v5.12-rc7

v5.12-rc8

v5.13

v5.13-rc1

v5.13-rc2

v5.13-rc3

v5.13-rc4

v5.13-rc5

v5.13-rc6

v5.13-rc7

v5.14

v5.14-rc1

v5.14-rc2

v5.14-rc3

v5.14-rc4

v5.14-rc5

v5.14-rc6

v5.14-rc7

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.15.1

v5.15.10

v5.15.11

v5.15.12

v5.15.13

v5.15.14

v5.15.15

v5.15.16

v5.15.17

v5.15.18

v5.15.19

v5.15.2

v5.15.20

v5.15.21

v5.15.22

v5.15.23

v5.15.24

v5.15.25

v5.15.26

v5.15.27

v5.15.28

v5.15.29

v5.15.3

v5.15.30

v5.15.31

v5.15.32

v5.15.33

v5.15.34

v5.15.35

v5.15.36

v5.15.37

v5.15.38

v5.15.39

v5.15.4

v5.15.40

v5.15.41

v5.15.42

v5.15.43

v5.15.44

v5.15.45

v5.15.46

v5.15.47

v5.15.48

v5.15.5

v5.15.6

v5.15.7

v5.15.8

v5.15.9

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.17

v5.17-rc1

v5.17-rc2

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.18.1

v5.18.2

v5.18.3

v5.18.4

v5.18.5

v5.19-rc1

v5.19-rc2

v5.4

v5.4-rc4

v5.4-rc5

v5.4-rc6

v5.4-rc7

v5.4-rc8

v5.5

v5.5-rc1

v5.5-rc2

v5.5-rc3

v5.5-rc4

v5.5-rc5

v5.5-rc6

v5.5-rc7

v5.6

v5.6-rc1

v5.6-rc2

v5.6-rc3

v5.6-rc4

v5.6-rc5

v5.6-rc6

v5.6-rc7

v5.7

v5.7-rc1

v5.7-rc2

v5.7-rc3

v5.7-rc4

v5.7-rc5

v5.7-rc6

v5.7-rc7

v5.8

v5.8-rc1

v5.8-rc2

v5.8-rc3

v5.8-rc4

v5.8-rc5

v5.8-rc6

v5.8-rc7

v5.9

v5.9-rc1

v5.9-rc2

v5.9-rc3

v5.9-rc4

v5.9-rc5

v5.9-rc6

v5.9-rc7

v5.9-rc8

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.124

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.49

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

5.18.6