Описание
In the Linux kernel, the following vulnerability has been resolved:
driver core: Fix uevent_show() vs driver detach race
uevent_show() wants to de-reference dev->driver->name. There is no clean way for a device attribute to de-reference dev->driver unless that attribute is defined via (struct device_driver).dev_groups. Instead, the anti-pattern of taking the device_lock() in the attribute handler risks deadlocks with code paths that remove device attributes while holding the lock.
This deadlock is typically invisible to lockdep given the device_lock() is marked lockdep_set_novalidate_class(), but some subsystems allocate a local lockdep key for @dev->mutex to reveal reports of the form:
====================================================== WARNING: possible circular locking dependency detected 6.10.0-rc7+ #275 Tainted: G OE N
modprobe/2374 is trying to acquire lock: ffff8c2270070de0 (kn->active#6){++++}-{...
In the Linux kernel, the following vulnerability has been resolved:
driver core: Fix uevent_show() vs driver detach race
uevent_show() wants to de-reference dev->driver->name. There is no clean way for a device attribute to de-reference dev->driver unless that attribute is defined via (struct device_driver).dev_groups. Instead, the anti-pattern of taking the device_lock() in the attribute handler risks deadlocks with code paths that remove device attributes while holding the lock.
This deadlock is typically invisible to lockdep given the device_lock() is marked lockdep_set_novalidate_class(), but some subsystems allocate a local lockdep key for @dev->mutex to reveal reports of the form:
====================================================== WARNING: possible circular locking dependency detected 6.10.0-rc7+ #275 Tainted: G OE N
modprobe/2374 is trying to acquire lock: ffff8c2270070de0 (kn->active#6){++++}-{0:0}, at: __kernfs_remove+0xde/0x220
but task is already holding lock: ffff8c22016e88f8 (&cxl_root_key){+.+.}-{3:3}, at: device_release_driver_internal+0x39/0x210
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&cxl_root_key){+.+.}-{3:3}: __mutex_lock+0x99/0xc30 uevent_show+0xac/0x130 dev_attr_show+0x18/0x40 sysfs_kf_seq_show+0xac/0xf0 seq_read_iter+0x110/0x450 vfs_read+0x25b/0x340 ksys_read+0x67/0xf0 do_syscall_64+0x75/0x190 entry_SYSCALL_64_after_hwframe+0x76/0x7e
-> #0 (kn->active#6){++++}-{0:0}: __lock_acquire+0x121a/0x1fa0 lock_acquire+0xd6/0x2e0 kernfs_drain+0x1e9/0x200 __kernfs_remove+0xde/0x220 kernfs_remove_by_name_ns+0x5e/0xa0 device_del+0x168/0x410 device_unregister+0x13/0x60 devres_release_all+0xb8/0x110 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1c7/0x210 driver_detach+0x47/0x90 bus_remove_driver+0x6c/0xf0 cxl_acpi_exit+0xc/0x11 [cxl_acpi] __do_sys_delete_module.isra.0+0x181/0x260 do_syscall_64+0x75/0x190 entry_SYSCALL_64_after_hwframe+0x76/0x7e
The observation though is that driver objects are typically much longer lived than device objects. It is reasonable to perform lockless de-reference of a @driver pointer even if it is racing detach from a device. Given the infrequency of driver unregistration, use synchronize_rcu() in module_remove_driver() to close any potential races. It is potentially overkill to suffer synchronize_rcu() just to handle the rare module removal racing uevent_show() event.
Thanks to Tetsuo Handa for the debug analysis of the syzbot report [1].
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2024-44952
- https://git.kernel.org/stable/c/15fffc6a5624b13b428bb1c6e9088e32a55eb82c
- https://git.kernel.org/stable/c/1cfc329304617838dc06f021bbbde3bc79cd655e
- https://git.kernel.org/stable/c/4749d336170dbb629e515a857e58a82e61c37a9c
- https://git.kernel.org/stable/c/49ea4e0d862632d51667da5e7a9c88a560e9c5a1
- https://git.kernel.org/stable/c/4a7c2a8387524942171037e70b80e969c3b5c05b
- https://git.kernel.org/stable/c/4d035c743c3e391728a6f81cbf0f7f9ca700cf62
- https://git.kernel.org/stable/c/92d847a35e1e41bceba13b8ac1f0e1b9dbe30d25
- https://git.kernel.org/stable/c/9c23fc327d6ec67629b4ad323bd64d3834c0417d
- https://git.kernel.org/stable/c/cd490a247ddf325325fd0de8898659400c9237ef
- https://git.kernel.org/stable/c/cfc72b86fa20cbf44d2b6cc27b35eb15080232ab
- https://git.kernel.org/stable/c/d4dba9a076838f3d0333a6a66efec2cdda90b2ee
- https://git.kernel.org/stable/c/dd98c9630b7ee273da87e9a244f94ddf947161e2
- https://git.kernel.org/stable/c/f098e8fc7227166206256c18d56ab622039108b1
- https://git.kernel.org/stable/c/fd28d9589460945985ef5333e9b942c4261f0826
- https://git.kernel.org/stable/c/fe10c8367687c27172a10ba5cc849bd82077bd7d
Связанные уязвимости
[REJECTED CVE] A vulnerability in the Linux kernel's driver core related to uevent_show() and driver detach has been identified. The issue involved a race condition where uevent_show() attempted to dereference dev->driver->name, leading to a potential deadlock due to improper locking. While this could cause system instability, an attacker would need the ability to manipulate device attributes and timing precisely, making exploitation impractical.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
ELSA-2024-12682: Unbreakable Enterprise kernel security update (IMPORTANT)
ELSA-2024-12779: Unbreakable Enterprise kernel security update (IMPORTANT)