CVE-2024-46788 in Linuxinfo

Summary

by MITRE • 09/18/2024

In the Linux kernel, the following vulnerability has been resolved:

tracing/osnoise: Use a cpumask to know what threads are kthreads

The start_kthread() and stop_thread() code was not always called with the interface_lock held. This means that the kthread variable could be unexpectedly changed causing the kthread_stop() to be called on it when it should not have been, leading to:

while true; do rtla timerlat top -u -q & PID=$!; sleep 5; kill -INT $PID; sleep 0.001; kill -TERM $PID; wait $PID; done

Causing the following OOPS:

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 5 UID: 0 PID: 885 Comm: timerlatu/5 Not tainted 6.11.0-rc4-test-00002-gbc754cc76d1b-dirty #125 a533010b71dab205ad2f507188ce8c82203b0254 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:hrtimer_active+0x58/0x300 Code: 48 c1 ee 03 41 54 48 01 d1 48 01 d6 55 53 48 83 ec 20 80 39 00 0f 85 30 02 00 00 49 8b 6f 30 4c 8d 75 10 4c 89 f0 48 c1 e8 03 b6 3c 10 4c 89 f0 83 e0 07 83 c0 03 40 38 f8 7c 09 40 84 ff 0f RSP: 0018:ffff88811d97f940 EFLAGS: 00010202 RAX: 0000000000000002 RBX: ffff88823c6b5b28 RCX: ffffed10478d6b6b RDX: dffffc0000000000 RSI: ffffed10478d6b6c RDI: ffff88823c6b5b28 RBP: 0000000000000000 R08: ffff88823c6b5b58 R09: ffff88823c6b5b60 R10: ffff88811d97f957 R11: 0000000000000010 R12: 00000000000a801d R13: ffff88810d8b35d8 R14: 0000000000000010 R15: ffff88823c6b5b28 FS: 0000000000000000(0000) GS:ffff88823c680000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000561858ad7258 CR3: 000000007729e001 CR4: 0000000000170ef0 Call Trace: ? die_addr+0x40/0xa0 ? exc_general_protection+0x154/0x230 ? asm_exc_general_protection+0x26/0x30 ? hrtimer_active+0x58/0x300 ? __pfx_mutex_lock+0x10/0x10 ? __pfx_locks_remove_file+0x10/0x10 hrtimer_cancel+0x15/0x40 timerlat_fd_release+0x8e/0x1f0 ? security_file_release+0x43/0x80 __fput+0x372/0xb10 task_work_run+0x11e/0x1f0 ? _raw_spin_lock+0x85/0xe0 ? __pfx_task_work_run+0x10/0x10 ? poison_slab_object+0x109/0x170 ? do_exit+0x7a0/0x24b0 do_exit+0x7bd/0x24b0 ? __pfx_migrate_enable+0x10/0x10 ? __pfx_do_exit+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x64/0x140 ? _raw_spin_lock_irq+0x86/0xe0 do_group_exit+0xb0/0x220 get_signal+0x17ba/0x1b50 ? vfs_read+0x179/0xa40 ? timerlat_fd_read+0x30b/0x9d0 ? __pfx_get_signal+0x10/0x10 ? __pfx_timerlat_fd_read+0x10/0x10 arch_do_signal_or_restart+0x8c/0x570 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? vfs_read+0x179/0xa40 ? ksys_read+0xfe/0x1d0 ? __pfx_ksys_read+0x10/0x10 syscall_exit_to_user_mode+0xbc/0x130 do_syscall_64+0x74/0x110 ? __pfx___rseq_handle_notify_resume+0x10/0x10 ? __pfx_ksys_read+0x10/0x10 ? fpregs_restore_userregs+0xdb/0x1e0 ? fpregs_restore_userregs+0xdb/0x1e0 ? syscall_exit_to_user_mode+0x116/0x130 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 entry_SYSCALL_64_after_hwframe+0x71/0x79 RIP: 0033:0x7ff0070eca9c Code: Unable to access opcode bytes at 0x7ff0070eca72. RSP: 002b:00007ff006dff8c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007ff0070eca9c RDX: 0000000000000400 RSI: 00007ff006dff9a0 RDI: 0000000000000003 RBP: 00007ff006dffde0 R08: 0000000000000000 R09: 00007ff000000ba0 R10: 00007ff007004b08 R11: 0000000000000246 R12: 0000000000000003 R13: 00007ff006dff9a0 R14: 0000000000000007 R15: 0000000000000008 Modules linked in: snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hwdep snd_hda_core ---[ end trace 0000000000000000 ]---

This is because it would mistakenly call kthread_stop() on a user space thread making it "exit" before it actually exits.

Since kthread ---truncated---

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/06/2026

The vulnerability described in CVE-2024-46788 resides within the Linux kernel's tracing subsystem, specifically in the osnoise module responsible for measuring system noise during real-time performance analysis. This flaw manifests as a race condition in the management of kernel threads where the start_kthread() and stop_thread() functions are not consistently protected by the interface_lock, creating a scenario where the kthread variable can be unexpectedly modified. The improper synchronization leads to erroneous invocation of kthread_stop() on threads that should not be stopped, resulting in a null pointer dereference and subsequent kernel oops. The vulnerability is particularly concerning because it affects the core kernel threading mechanisms, potentially causing system instability or crashes when the timerlat utility is used in continuous monitoring loops.

The technical root cause of this vulnerability aligns with CWE-362, which identifies race conditions in concurrent programming where operations are not properly synchronized. The flaw occurs when user space processes interact with kernel tracing interfaces, particularly when the timerlat utility repeatedly starts and stops threads in rapid succession. The kernel's osnoise tracing module fails to maintain proper thread state management when threads are created or destroyed, leading to a scenario where kthread_stop() is called on user space threads instead of kernel threads. This misidentification results in a kernel oops when the system attempts to access memory locations that are no longer valid, as evidenced by the null pointer dereference at address 0x0000000000000010. The call trace shows the error propagating through hrtimer_cancel and timerlat_fd_release functions, ultimately leading to process exit handling where the kernel attempts to clean up resources for threads that have already been improperly terminated.

The operational impact of this vulnerability extends beyond simple system crashes, as it represents a potential attack vector for privilege escalation or denial of service. When exploited through the timerlat utility in continuous monitoring scenarios, the vulnerability can cause the kernel to crash or become unresponsive, effectively disabling system tracing capabilities and potentially affecting real-time system performance monitoring. The attack pattern described in the vulnerability involves running the timerlat utility in a loop that rapidly starts and terminates threads, which triggers the race condition. This behavior can be leveraged to cause system instability, particularly in environments where real-time performance monitoring is critical. The vulnerability also aligns with ATT&CK technique T1059.006, which involves the use of kernel-mode rootkits or exploits that manipulate kernel thread execution to achieve malicious objectives, though in this case the impact is more about system instability than direct exploitation.

Mitigation strategies for this vulnerability should focus on ensuring proper synchronization mechanisms are in place when managing kernel threads. The fix implemented in the kernel involves using a cpumask to properly track which threads are kthreads, thereby preventing the incorrect invocation of kthread_stop() on user space threads. System administrators should ensure that all kernel updates are applied promptly, particularly those addressing tracing and kernel thread management components. Monitoring systems should be configured to detect unusual patterns of thread creation and termination that might indicate this vulnerability being exploited. Additionally, the use of the timerlat utility in production environments should be carefully evaluated, as it was the mechanism through which this vulnerability was demonstrated. The fix should be validated through comprehensive testing that includes stress scenarios involving rapid thread creation and destruction, ensuring that the cpumask-based approach properly isolates kernel threads from user space threads during the thread management lifecycle.

Responsible

Linux

Reservation

09/11/2024

Disclosure

09/18/2024

Moderation

accepted

CPE

ready

EPSS

0.00206

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!