CVE-2023-53560

In the Linux kernel, the following vulnerability has been resolved:

tracing/histograms: Add histograms to hist_vars if they have referenced variables

Hist triggers can have referenced variables without having direct variables fields. This can be the case if referenced variables are added for trigger actions. In this case the newly added references will not have field variables. Not taking such referenced variables into consideration can result in a bug where it would be possible to remove hist trigger with variables being refenced. This will result in a bug that is easily reproducable like so

$ cd /sys/kernel/tracing $ echo 'syntheticsysenter char[] comm; long id' >> syntheticevents $ echo 'hist:keys=commonpid.execname,id.syscall:vals=hitcount:comm=commonpid.execname' >> events/rawsyscalls/sysenter/trigger $ echo 'hist:keys=commonpid.execname,id.syscall:onmatch(rawsyscalls.sysenter).syntheticsysenter($comm, id)' >> events/rawsyscalls/sysenter/trigger $ echo '!hist:keys=commonpid.execname,id.syscall:vals=hitcount:comm=commonpid.execname' >> events/rawsyscalls/sysenter/trigger

[ 100.263533] ================================================================== [ 100.264634] BUG: KASAN: slab-use-after-free in resolvevarrefs+0xc7/0x180 [ 100.265520] Read of size 8 at addr ffff88810375d0f0 by task bash/439 [ 100.266320] [ 100.266533] CPU: 2 PID: 439 Comm: bash Not tainted 6.5.0-rc1 #4 [ 100.267277] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-20220807005459-localhost 04/01/2014 [ 100.268561] Call Trace: [ 100.268902] <TASK> [ 100.269189] dumpstacklvl+0x4c/0x70 [ 100.269680] printreport+0xc5/0x600 [ 100.270165] ? resolvevarrefs+0xc7/0x180 [ 100.270697] ? kasancompletemodereportinfo+0x80/0x1f0 [ 100.271389] ? resolvevarrefs+0xc7/0x180 [ 100.271913] kasanreport+0xbd/0x100 [ 100.272380] ? resolvevarrefs+0xc7/0x180 [ 100.272920] asanload8+0x71/0xa0 [ 100.273377] resolvevarrefs+0xc7/0x180 [ 100.273888] eventhisttrigger+0x749/0x860 [ 100.274505] ? kasansavestack+0x2a/0x50 [ 100.275024] ? kasansettrack+0x29/0x40 [ 100.275536] ? _pfxeventhisttrigger+0x10/0x10 [ 100.276138] ? ksyswrite+0xd1/0x170 [ 100.276607] ? dosyscall64+0x3c/0x90 [ 100.277099] ? entrySYSCALL64afterhwframe+0x6e/0xd8 [ 100.277771] ? destroyhistdata+0x446/0x470 [ 100.278324] ? eventhisttriggerparse+0xa6c/0x3860 [ 100.278962] ? _pfxeventhisttriggerparse+0x10/0x10 [ 100.279627] ? _kasancheckwrite+0x18/0x20 [ 100.280177] ? mutexunlock+0x85/0xd0 [ 100.280660] ? _pfxmutexunlock+0x10/0x10 [ 100.281200] ? kfree+0x7b/0x120 [ 100.281619] ? kasanslabfree+0x15d/0x1d0 [ 100.282197] ? eventtriggerwrite+0xac/0x100 [ 100.282764] ? _kasanslabfree+0x16/0x20 [ 100.283293] ? _kmemcachefree+0x153/0x2f0 [ 100.283844] ? schedmmcidremoteclear+0xb1/0x250 [ 100.284550] ? _pfxschedmmcidremoteclear+0x10/0x10 [ 100.285221] ? eventtriggerwrite+0xbc/0x100 [ 100.285781] ? _kasancheckread+0x15/0x20 [ 100.286321] ? _bitmapweight+0x66/0xa0 [ 100.286833] ? _findnextbit+0x46/0xe0 [ 100.287334] ? taskmmcidwork+0x37f/0x450 [ 100.287872] eventtriggerscall+0x84/0x150 [ 100.288408] traceeventbuffercommit+0x339/0x430 [ 100.289073] ? ringbuffereventdata+0x3f/0x60 [ 100.292189] traceeventraweventsysenter+0x8b/0xe0 [ 100.295434] syscalltraceenter.constprop.0+0x18f/0x1b0 [ 100.298653] syscallenterfromusermode+0x32/0x40 [ 100.301808] dosyscall64+0x1a/0x90 [ 100.304748] entrySYSCALL64afterhwframe+0x6e/0xd8 [ 100.307775] RIP: 0033:0x7f686c75c1cb [ 100.310617] Code: 73 01 c3 48 8b 0d 65 3c 10 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 21 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 3c 10 00 f7 d8 64 89 01 48 [ 100.317847] RSP: 002b:00007ffc60137a38 EFLAGS: 00000246 ORIGRAX: 0000000000000021 [ 100.321200] RA ---truncated---