Zheng Yejian

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.37 **Description** The issue is related to a possible use-after-free problem in the `ftrace location()` function. This occurs because the `lookup rec()` function searches for an ftrace record of some address in ftrace pages of a module, while at the same time, those ftrace pages are being freed in `ftrace release mod()` as the corresponding module is being deleted. This can lead to a situation where the same memory location is accessed after it has been freed, potentially causing unexpected behavior or crashes. The root cause of this problem is a race condition between the `register kprobes()` and `delete module()` functions. **Recommendations** To fix this issue, the following steps can be taken: 1. Hold the rcu lock when accessing ftrace pages in `ftrace location range()`. 2. Use `ftrace location range()` instead of `lookup rec()` in `ftrace location()`. 3. Call `synchronize rcu()` before freeing any ftrace pages in `ftrace process locs()`, `ftrace release mod()`, and `ftrace free mem()`. Update the Linux kernel to version 6.6.37 or later to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a possible use-after-free problem in the kprobes registration of the Linux kernel. When unloading a module, its state changes, and if `is module text address()` and ` module text address()` are used separately, there is a chance that the first one succeeds but the next one fails because the module's state becomes MODULE STATE UNFORMED between these operations. In the `check kprobe address safe()` function, if the second ` module text address()` fails, it is ignored because it expected a kernel text address, but it may have failed simply because the module's state has been changed to MODULE STATE UNFORMED. This can cause `arm kprobe()` to try to modify a non-existent module text address, resulting in a use-after-free issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue arises when a dynamic event, such as a kprobe event, is traced and then removed, allowing its type number to be reused by a newly created dynamic event. This can lead to the new event's logic being used to parse the binary blob, potentially causing problems. The issue can be demonstrated by creating and removing 65536 dynamic events, which can cause the kernel to crash. Technical details include the use of the `kprobe events` file to create and remove events, and the `do sys openat2` function call being traced. The `arg1` variable is used to store the first parameter of the function call, and the `+0($arg2):string` syntax is used to read a string from the `arg2` variable. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.