cve/published/2024/CVE-2024-56587.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56587: leds: class: Protect brightness_show() with led_cdev->led_access mutex

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 leds: class: Protect brightness_show() with led_cdev->led_access mutex

 There is NULL pointer issue observed if from Process A where hid device
 being added which results in adding a led_cdev addition and later a
 another call to access of led_cdev attribute from Process B can result
 in NULL pointer issue.

 Use mutex led_cdev->led_access to protect access to led->cdev and its
 attribute inside brightness_show() and max_brightness_show() and also
 update the comment for mutex that it should be used to protect the led
 class device fields.

 	Process A 				Process B

  kthread+0x114
  worker_thread+0x244
  process_scheduled_works+0x248
  uhid_device_add_worker+0x24
  hid_add_device+0x120
  device_add+0x268
  bus_probe_device+0x94
  device_initial_probe+0x14
  __device_attach+0xfc
  bus_for_each_drv+0x10c
  __device_attach_driver+0x14c
  driver_probe_device+0x3c
  __driver_probe_device+0xa0
  really_probe+0x190
  hid_device_probe+0x130
  ps_probe+0x990
  ps_led_register+0x94
  devm_led_classdev_register_ext+0x58
  led_classdev_register_ext+0x1f8
  device_create_with_groups+0x48
  device_create_groups_vargs+0xc8
  device_add+0x244
  kobject_uevent+0x14
  kobject_uevent_env[jt]+0x224
  mutex_unlock[jt]+0xc4
  __mutex_unlock_slowpath+0xd4
  wake_up_q+0x70
  try_to_wake_up[jt]+0x48c
  preempt_schedule_common+0x28
  __schedule+0x628
  __switch_to+0x174
 						el0t_64_sync+0x1a8/0x1ac
 						el0t_64_sync_handler+0x68/0xbc
 						el0_svc+0x38/0x68
 						do_el0_svc+0x1c/0x28
 						el0_svc_common+0x80/0xe0
 						invoke_syscall+0x58/0x114
 						__arm64_sys_read+0x1c/0x2c
 						ksys_read+0x78/0xe8
 						vfs_read+0x1e0/0x2c8
 						kernfs_fop_read_iter+0x68/0x1b4
 						seq_read_iter+0x158/0x4ec
 						kernfs_seq_show+0x44/0x54
 						sysfs_kf_seq_show+0xb4/0x130
 						dev_attr_show+0x38/0x74
 						brightness_show+0x20/0x4c
 						dualshock4_led_get_brightness+0xc/0x74

 [ 3313.874295][ T4013] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060
 [ 3313.874301][ T4013] Mem abort info:
 [ 3313.874303][ T4013]   ESR = 0x0000000096000006
 [ 3313.874305][ T4013]   EC = 0x25: DABT (current EL), IL = 32 bits
 [ 3313.874307][ T4013]   SET = 0, FnV = 0
 [ 3313.874309][ T4013]   EA = 0, S1PTW = 0
 [ 3313.874311][ T4013]   FSC = 0x06: level 2 translation fault
 [ 3313.874313][ T4013] Data abort info:
 [ 3313.874314][ T4013]   ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000
 [ 3313.874316][ T4013]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
 [ 3313.874318][ T4013]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
 [ 3313.874320][ T4013] user pgtable: 4k pages, 39-bit VAs, pgdp=00000008f2b0a000
 ..

 [ 3313.874332][ T4013] Dumping ftrace buffer:
 [ 3313.874334][ T4013]    (ftrace buffer empty)
 ..
 ..
 [ dd3313.874639][ T4013] CPU: 6 PID: 4013 Comm: InputReader
 [ 3313.874648][ T4013] pc : dualshock4_led_get_brightness+0xc/0x74
 [ 3313.874653][ T4013] lr : led_update_brightness+0x38/0x60
 [ 3313.874656][ T4013] sp : ffffffc0b910bbd0
 ..
 ..
 [ 3313.874685][ T4013] Call trace:
 [ 3313.874687][ T4013]  dualshock4_led_get_brightness+0xc/0x74
 [ 3313.874690][ T4013]  brightness_show+0x20/0x4c
 [ 3313.874692][ T4013]  dev_attr_show+0x38/0x74
 [ 3313.874696][ T4013]  sysfs_kf_seq_show+0xb4/0x130
 [ 3313.874700][ T4013]  kernfs_seq_show+0x44/0x54
 [ 3313.874703][ T4013]  seq_read_iter+0x158/0x4ec
 [ 3313.874705][ T4013]  kernfs_fop_read_iter+0x68/0x1b4
 [ 3313.874708][ T4013]  vfs_read+0x1e0/0x2c8
 [ 3313.874711][ T4013]  ksys_read+0x78/0xe8
 [ 3313.874714][ T4013]  __arm64_sys_read+0x1c/0x2c
 [ 3313.874718][ T4013]  invoke_syscall+0x58/0x114
 [ 3313.874721][ T4013]  el0_svc_common+0x80/0xe0
 [ 3313.874724][ T4013]  do_el0_svc+0x1c/0x28
 [ 3313.874727][ T4013]  el0_svc+0x38/0x68
 [ 3313.874730][ T4013]  el0t_64_sync_handler+0x68/0xbc
 [ 3313.874732][ T4013]  el0t_64_sync+0x1a8/0x1ac

 The Linux kernel CVE team has assigned CVE-2024-56587 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.4.287 with commit 84b42d5b5fcd767c9b7f30b0b32065ed949fe804
 	Fixed in 5.10.231 with commit ddcfc5708da9972ac23a9121b3d819b0a53d6f21
 	Fixed in 5.15.174 with commit b8283d52ed15c02bb2eb9b1b8644dcc34f8e98f1
 	Fixed in 6.1.120 with commit 50d9f68e4adf86901cbab1bd5b91f710aa9141b9
 	Fixed in 6.6.66 with commit f6d6fb563e4be245a17bc4261a4b294e8bf8a31e
 	Fixed in 6.12.5 with commit bb4a6236a430cfc3713f470f3a969f39d6d4ca25
 	Fixed in 6.13 with commit 4ca7cd938725a4050dcd62ae9472e931d603118d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56587
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/leds/led-class.c
 	include/linux/leds.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/84b42d5b5fcd767c9b7f30b0b32065ed949fe804
 	https://git.kernel.org/stable/c/ddcfc5708da9972ac23a9121b3d819b0a53d6f21
 	https://git.kernel.org/stable/c/b8283d52ed15c02bb2eb9b1b8644dcc34f8e98f1
 	https://git.kernel.org/stable/c/50d9f68e4adf86901cbab1bd5b91f710aa9141b9
 	https://git.kernel.org/stable/c/f6d6fb563e4be245a17bc4261a4b294e8bf8a31e
 	https://git.kernel.org/stable/c/bb4a6236a430cfc3713f470f3a969f39d6d4ca25
 	https://git.kernel.org/stable/c/4ca7cd938725a4050dcd62ae9472e931d603118d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56587: leds: class: Protect brightness_show() with led_cdev->led_access mutex

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	leds: class: Protect brightness_show() with led_cdev->led_access mutex

	There is NULL pointer issue observed if from Process A where hid device
	being added which results in adding a led_cdev addition and later a
	another call to access of led_cdev attribute from Process B can result
	in NULL pointer issue.

	Use mutex led_cdev->led_access to protect access to led->cdev and its
	attribute inside brightness_show() and max_brightness_show() and also
	update the comment for mutex that it should be used to protect the led
	class device fields.

	Process A Process B

	kthread+0x114
	worker_thread+0x244
	process_scheduled_works+0x248
	uhid_device_add_worker+0x24
	hid_add_device+0x120
	device_add+0x268
	bus_probe_device+0x94
	device_initial_probe+0x14
	__device_attach+0xfc
	bus_for_each_drv+0x10c
	__device_attach_driver+0x14c
	driver_probe_device+0x3c
	__driver_probe_device+0xa0
	really_probe+0x190
	hid_device_probe+0x130
	ps_probe+0x990
	ps_led_register+0x94
	devm_led_classdev_register_ext+0x58
	led_classdev_register_ext+0x1f8
	device_create_with_groups+0x48
	device_create_groups_vargs+0xc8
	device_add+0x244
	kobject_uevent+0x14
	kobject_uevent_env[jt]+0x224
	mutex_unlock[jt]+0xc4
	__mutex_unlock_slowpath+0xd4
	wake_up_q+0x70
	try_to_wake_up[jt]+0x48c
	preempt_schedule_common+0x28
	__schedule+0x628
	__switch_to+0x174
	el0t_64_sync+0x1a8/0x1ac
	el0t_64_sync_handler+0x68/0xbc
	el0_svc+0x38/0x68
	do_el0_svc+0x1c/0x28
	el0_svc_common+0x80/0xe0
	invoke_syscall+0x58/0x114
	__arm64_sys_read+0x1c/0x2c
	ksys_read+0x78/0xe8
	vfs_read+0x1e0/0x2c8
	kernfs_fop_read_iter+0x68/0x1b4
	seq_read_iter+0x158/0x4ec
	kernfs_seq_show+0x44/0x54
	sysfs_kf_seq_show+0xb4/0x130
	dev_attr_show+0x38/0x74
	brightness_show+0x20/0x4c
	dualshock4_led_get_brightness+0xc/0x74

	[ 3313.874295][ T4013] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060
	[ 3313.874301][ T4013] Mem abort info:
	[ 3313.874303][ T4013] ESR = 0x0000000096000006
	[ 3313.874305][ T4013] EC = 0x25: DABT (current EL), IL = 32 bits
	[ 3313.874307][ T4013] SET = 0, FnV = 0
	[ 3313.874309][ T4013] EA = 0, S1PTW = 0
	[ 3313.874311][ T4013] FSC = 0x06: level 2 translation fault
	[ 3313.874313][ T4013] Data abort info:
	[ 3313.874314][ T4013] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000
	[ 3313.874316][ T4013] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
	[ 3313.874318][ T4013] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
	[ 3313.874320][ T4013] user pgtable: 4k pages, 39-bit VAs, pgdp=00000008f2b0a000
	..

	[ 3313.874332][ T4013] Dumping ftrace buffer:
	[ 3313.874334][ T4013] (ftrace buffer empty)
	..
	..
	[ dd3313.874639][ T4013] CPU: 6 PID: 4013 Comm: InputReader
	[ 3313.874648][ T4013] pc : dualshock4_led_get_brightness+0xc/0x74
	[ 3313.874653][ T4013] lr : led_update_brightness+0x38/0x60
	[ 3313.874656][ T4013] sp : ffffffc0b910bbd0
	..
	..
	[ 3313.874685][ T4013] Call trace:
	[ 3313.874687][ T4013] dualshock4_led_get_brightness+0xc/0x74
	[ 3313.874690][ T4013] brightness_show+0x20/0x4c
	[ 3313.874692][ T4013] dev_attr_show+0x38/0x74
	[ 3313.874696][ T4013] sysfs_kf_seq_show+0xb4/0x130
	[ 3313.874700][ T4013] kernfs_seq_show+0x44/0x54
	[ 3313.874703][ T4013] seq_read_iter+0x158/0x4ec
	[ 3313.874705][ T4013] kernfs_fop_read_iter+0x68/0x1b4
	[ 3313.874708][ T4013] vfs_read+0x1e0/0x2c8
	[ 3313.874711][ T4013] ksys_read+0x78/0xe8
	[ 3313.874714][ T4013] __arm64_sys_read+0x1c/0x2c
	[ 3313.874718][ T4013] invoke_syscall+0x58/0x114
	[ 3313.874721][ T4013] el0_svc_common+0x80/0xe0
	[ 3313.874724][ T4013] do_el0_svc+0x1c/0x28
	[ 3313.874727][ T4013] el0_svc+0x38/0x68
	[ 3313.874730][ T4013] el0t_64_sync_handler+0x68/0xbc
	[ 3313.874732][ T4013] el0t_64_sync+0x1a8/0x1ac

	The Linux kernel CVE team has assigned CVE-2024-56587 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.4.287 with commit 84b42d5b5fcd767c9b7f30b0b32065ed949fe804
	Fixed in 5.10.231 with commit ddcfc5708da9972ac23a9121b3d819b0a53d6f21
	Fixed in 5.15.174 with commit b8283d52ed15c02bb2eb9b1b8644dcc34f8e98f1
	Fixed in 6.1.120 with commit 50d9f68e4adf86901cbab1bd5b91f710aa9141b9
	Fixed in 6.6.66 with commit f6d6fb563e4be245a17bc4261a4b294e8bf8a31e
	Fixed in 6.12.5 with commit bb4a6236a430cfc3713f470f3a969f39d6d4ca25
	Fixed in 6.13 with commit 4ca7cd938725a4050dcd62ae9472e931d603118d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56587
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/leds/led-class.c
	include/linux/leds.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/84b42d5b5fcd767c9b7f30b0b32065ed949fe804
	https://git.kernel.org/stable/c/ddcfc5708da9972ac23a9121b3d819b0a53d6f21
	https://git.kernel.org/stable/c/b8283d52ed15c02bb2eb9b1b8644dcc34f8e98f1
	https://git.kernel.org/stable/c/50d9f68e4adf86901cbab1bd5b91f710aa9141b9
	https://git.kernel.org/stable/c/f6d6fb563e4be245a17bc4261a4b294e8bf8a31e
	https://git.kernel.org/stable/c/bb4a6236a430cfc3713f470f3a969f39d6d4ca25
	https://git.kernel.org/stable/c/4ca7cd938725a4050dcd62ae9472e931d603118d