cve/published/2022/CVE-2022-49607.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49607: perf/core: Fix data race between perf_event_set_output() and perf_mmap_close()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 perf/core: Fix data race between perf_event_set_output() and perf_mmap_close()

 Yang Jihing reported a race between perf_event_set_output() and
 perf_mmap_close():

 	CPU1					CPU2

 	perf_mmap_close(e2)
 	  if (atomic_dec_and_test(&e2->rb->mmap_count)) // 1 - > 0
 	    detach_rest = true

 						ioctl(e1, IOC_SET_OUTPUT, e2)
 						  perf_event_set_output(e1, e2)

 	  ...
 	  list_for_each_entry_rcu(e, &e2->rb->event_list, rb_entry)
 	    ring_buffer_attach(e, NULL);
 	    // e1 isn't yet added and
 	    // therefore not detached

 						    ring_buffer_attach(e1, e2->rb)
 						      list_add_rcu(&e1->rb_entry,
 								   &e2->rb->event_list)

 After this; e1 is attached to an unmapped rb and a subsequent
 perf_mmap() will loop forever more:

 	again:
 		mutex_lock(&e->mmap_mutex);
 		if (event->rb) {
 			...
 			if (!atomic_inc_not_zero(&e->rb->mmap_count)) {
 				...
 				mutex_unlock(&e->mmap_mutex);
 				goto again;
 			}
 		}

 The loop in perf_mmap_close() holds e2->mmap_mutex, while the attach
 in perf_event_set_output() holds e1->mmap_mutex. As such there is no
 serialization to avoid this race.

 Change perf_event_set_output() to take both e1->mmap_mutex and
 e2->mmap_mutex to alleviate that problem. Additionally, have the loop
 in perf_mmap() detach the rb directly, this avoids having to wait for
 the concurrent perf_mmap_close() to get around to doing it to make
 progress.

 The Linux kernel CVE team has assigned CVE-2022-49607 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.10 with commit 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b and fixed in 4.9.325 with commit 3bbd868099287ff9027db59029b502fcfa2202a0
 	Issue introduced in 3.10 with commit 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b and fixed in 4.14.290 with commit f836f9ac95df15f1e0af4beb0ec20021e8c91998
 	Issue introduced in 3.10 with commit 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b and fixed in 4.19.254 with commit 17f5417194136517ee9bbd6511249e5310e5617c
 	Issue introduced in 3.10 with commit 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b and fixed in 5.4.208 with commit 98c3c8fd0d4c560e0f8335b79c407bbf7fc9462c
 	Issue introduced in 3.10 with commit 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b and fixed in 5.10.134 with commit 43128b3eee337824158f34da6648163d2f2fb937
 	Issue introduced in 3.10 with commit 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b and fixed in 5.15.58 with commit da3c256e2d0ebc87c7db0c605c9692b6f1722074
 	Issue introduced in 3.10 with commit 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b and fixed in 5.18.15 with commit a9391ff7a7c5f113d6f2bf6621d49110950de49c
 	Issue introduced in 3.10 with commit 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b and fixed in 5.19 with commit 68e3c69803dada336893640110cb87221bb01dcf
 	Issue introduced in 3.2.49 with commit 2487f0db30527032c4d56fc2d0b1a240fe89fef8
 	Issue introduced in 3.4.52 with commit 703197b61d05f5edae54bad3256901c5a5c8794c
 	Issue introduced in 3.9.8 with commit c52217e88ae0f3a4ae00562d86e338f8f85969b4

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49607
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/events/core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/3bbd868099287ff9027db59029b502fcfa2202a0
 	https://git.kernel.org/stable/c/f836f9ac95df15f1e0af4beb0ec20021e8c91998
 	https://git.kernel.org/stable/c/17f5417194136517ee9bbd6511249e5310e5617c
 	https://git.kernel.org/stable/c/98c3c8fd0d4c560e0f8335b79c407bbf7fc9462c
 	https://git.kernel.org/stable/c/43128b3eee337824158f34da6648163d2f2fb937
 	https://git.kernel.org/stable/c/da3c256e2d0ebc87c7db0c605c9692b6f1722074
 	https://git.kernel.org/stable/c/a9391ff7a7c5f113d6f2bf6621d49110950de49c
 	https://git.kernel.org/stable/c/68e3c69803dada336893640110cb87221bb01dcf
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49607: perf/core: Fix data race between perf_event_set_output() and perf_mmap_close()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	perf/core: Fix data race between perf_event_set_output() and perf_mmap_close()

	Yang Jihing reported a race between perf_event_set_output() and
	perf_mmap_close():

	CPU1 CPU2

	perf_mmap_close(e2)
	if (atomic_dec_and_test(&e2->rb->mmap_count)) // 1 - > 0
	detach_rest = true

	ioctl(e1, IOC_SET_OUTPUT, e2)
	perf_event_set_output(e1, e2)

	...
	list_for_each_entry_rcu(e, &e2->rb->event_list, rb_entry)
	ring_buffer_attach(e, NULL);
	// e1 isn't yet added and
	// therefore not detached

	ring_buffer_attach(e1, e2->rb)
	list_add_rcu(&e1->rb_entry,
	&e2->rb->event_list)

	After this; e1 is attached to an unmapped rb and a subsequent
	perf_mmap() will loop forever more:

	again:
	mutex_lock(&e->mmap_mutex);
	if (event->rb) {
	...
	if (!atomic_inc_not_zero(&e->rb->mmap_count)) {
	...
	mutex_unlock(&e->mmap_mutex);
	goto again;
	}
	}

	The loop in perf_mmap_close() holds e2->mmap_mutex, while the attach
	in perf_event_set_output() holds e1->mmap_mutex. As such there is no
	serialization to avoid this race.

	Change perf_event_set_output() to take both e1->mmap_mutex and
	e2->mmap_mutex to alleviate that problem. Additionally, have the loop
	in perf_mmap() detach the rb directly, this avoids having to wait for
	the concurrent perf_mmap_close() to get around to doing it to make
	progress.

	The Linux kernel CVE team has assigned CVE-2022-49607 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.10 with commit 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b and fixed in 4.9.325 with commit 3bbd868099287ff9027db59029b502fcfa2202a0
	Issue introduced in 3.10 with commit 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b and fixed in 4.14.290 with commit f836f9ac95df15f1e0af4beb0ec20021e8c91998
	Issue introduced in 3.10 with commit 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b and fixed in 4.19.254 with commit 17f5417194136517ee9bbd6511249e5310e5617c
	Issue introduced in 3.10 with commit 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b and fixed in 5.4.208 with commit 98c3c8fd0d4c560e0f8335b79c407bbf7fc9462c
	Issue introduced in 3.10 with commit 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b and fixed in 5.10.134 with commit 43128b3eee337824158f34da6648163d2f2fb937
	Issue introduced in 3.10 with commit 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b and fixed in 5.15.58 with commit da3c256e2d0ebc87c7db0c605c9692b6f1722074
	Issue introduced in 3.10 with commit 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b and fixed in 5.18.15 with commit a9391ff7a7c5f113d6f2bf6621d49110950de49c
	Issue introduced in 3.10 with commit 9bb5d40cd93c9dd4be74834b1dcb1ba03629716b and fixed in 5.19 with commit 68e3c69803dada336893640110cb87221bb01dcf
	Issue introduced in 3.2.49 with commit 2487f0db30527032c4d56fc2d0b1a240fe89fef8
	Issue introduced in 3.4.52 with commit 703197b61d05f5edae54bad3256901c5a5c8794c
	Issue introduced in 3.9.8 with commit c52217e88ae0f3a4ae00562d86e338f8f85969b4

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49607
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/events/core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/3bbd868099287ff9027db59029b502fcfa2202a0
	https://git.kernel.org/stable/c/f836f9ac95df15f1e0af4beb0ec20021e8c91998
	https://git.kernel.org/stable/c/17f5417194136517ee9bbd6511249e5310e5617c
	https://git.kernel.org/stable/c/98c3c8fd0d4c560e0f8335b79c407bbf7fc9462c
	https://git.kernel.org/stable/c/43128b3eee337824158f34da6648163d2f2fb937
	https://git.kernel.org/stable/c/da3c256e2d0ebc87c7db0c605c9692b6f1722074
	https://git.kernel.org/stable/c/a9391ff7a7c5f113d6f2bf6621d49110950de49c
	https://git.kernel.org/stable/c/68e3c69803dada336893640110cb87221bb01dcf