cve/published/2024/CVE-2024-36899.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-36899: gpiolib: cdev: Fix use after free in lineinfo_changed_notify

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 gpiolib: cdev: Fix use after free in lineinfo_changed_notify

 The use-after-free issue occurs as follows: when the GPIO chip device file
 is being closed by invoking gpio_chrdev_release(), watched_lines is freed
 by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier
 chain failed due to waiting write rwsem. Additionally, one of the GPIO
 chip's lines is also in the release process and holds the notifier chain's
 read rwsem. Consequently, a race condition leads to the use-after-free of
 watched_lines.

 Here is the typical stack when issue happened:

 [free]
 gpio_chrdev_release()
   --> bitmap_free(cdev->watched_lines)                  <-- freed
   --> blocking_notifier_chain_unregister()
     --> down_write(&nh->rwsem)                          <-- waiting rwsem
           --> __down_write_common()
             --> rwsem_down_write_slowpath()
                   --> schedule_preempt_disabled()
                     --> schedule()

 [use]
 st54spi_gpio_dev_release()
   --> gpio_free()
     --> gpiod_free()
       --> gpiod_free_commit()
         --> gpiod_line_state_notify()
           --> blocking_notifier_call_chain()
             --> down_read(&nh->rwsem);                  <-- held rwsem
             --> notifier_call_chain()
               --> lineinfo_changed_notify()
                 --> test_bit(xxxx, cdev->watched_lines) <-- use after free

 The side effect of the use-after-free issue is that a GPIO line event is
 being generated for userspace where it shouldn't. However, since the chrdev
 is being closed, userspace won't have the chance to read that event anyway.

 To fix the issue, call the bitmap_free() function after the unregistration
 of lineinfo_changed_nb notifier chain.

 The Linux kernel CVE team has assigned CVE-2024-36899 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.7 with commit 51c1064e82e77b39a49889287ca50709303e2f26 and fixed in 5.10.234 with commit 2dfbb920a89bdc58087672ad5325dc6c588b6860
 	Issue introduced in 5.7 with commit 51c1064e82e77b39a49889287ca50709303e2f26 and fixed in 5.15.177 with commit 2d008d4961b039d2edce8976289773961b7e5fb5
 	Issue introduced in 5.7 with commit 51c1064e82e77b39a49889287ca50709303e2f26 and fixed in 6.1.127 with commit d38c49f7bdf14381270736299e2ff68ec248a017
 	Issue introduced in 5.7 with commit 51c1064e82e77b39a49889287ca50709303e2f26 and fixed in 6.6.31 with commit 95ca7c90eaf5ea8a8460536535101e3e81160e2a
 	Issue introduced in 5.7 with commit 51c1064e82e77b39a49889287ca50709303e2f26 and fixed in 6.8.10 with commit ca710b5f40b8b16fdcad50bebd47f50e4c62d239
 	Issue introduced in 5.7 with commit 51c1064e82e77b39a49889287ca50709303e2f26 and fixed in 6.9 with commit 02f6b0e1ec7e0e7d059dddc893645816552039da

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-36899
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/gpio/gpiolib-cdev.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/2dfbb920a89bdc58087672ad5325dc6c588b6860
 	https://git.kernel.org/stable/c/2d008d4961b039d2edce8976289773961b7e5fb5
 	https://git.kernel.org/stable/c/d38c49f7bdf14381270736299e2ff68ec248a017
 	https://git.kernel.org/stable/c/95ca7c90eaf5ea8a8460536535101e3e81160e2a
 	https://git.kernel.org/stable/c/ca710b5f40b8b16fdcad50bebd47f50e4c62d239
 	https://git.kernel.org/stable/c/02f6b0e1ec7e0e7d059dddc893645816552039da
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-36899: gpiolib: cdev: Fix use after free in lineinfo_changed_notify

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	gpiolib: cdev: Fix use after free in lineinfo_changed_notify

	The use-after-free issue occurs as follows: when the GPIO chip device file
	is being closed by invoking gpio_chrdev_release(), watched_lines is freed
	by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier
	chain failed due to waiting write rwsem. Additionally, one of the GPIO
	chip's lines is also in the release process and holds the notifier chain's
	read rwsem. Consequently, a race condition leads to the use-after-free of
	watched_lines.

	Here is the typical stack when issue happened:

	[free]
	gpio_chrdev_release()
	--> bitmap_free(cdev->watched_lines) <-- freed
	--> blocking_notifier_chain_unregister()
	--> down_write(&nh->rwsem) <-- waiting rwsem
	--> __down_write_common()
	--> rwsem_down_write_slowpath()
	--> schedule_preempt_disabled()
	--> schedule()

	[use]
	st54spi_gpio_dev_release()
	--> gpio_free()
	--> gpiod_free()
	--> gpiod_free_commit()
	--> gpiod_line_state_notify()
	--> blocking_notifier_call_chain()
	--> down_read(&nh->rwsem); <-- held rwsem
	--> notifier_call_chain()
	--> lineinfo_changed_notify()
	--> test_bit(xxxx, cdev->watched_lines) <-- use after free

	The side effect of the use-after-free issue is that a GPIO line event is
	being generated for userspace where it shouldn't. However, since the chrdev
	is being closed, userspace won't have the chance to read that event anyway.

	To fix the issue, call the bitmap_free() function after the unregistration
	of lineinfo_changed_nb notifier chain.

	The Linux kernel CVE team has assigned CVE-2024-36899 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.7 with commit 51c1064e82e77b39a49889287ca50709303e2f26 and fixed in 5.10.234 with commit 2dfbb920a89bdc58087672ad5325dc6c588b6860
	Issue introduced in 5.7 with commit 51c1064e82e77b39a49889287ca50709303e2f26 and fixed in 5.15.177 with commit 2d008d4961b039d2edce8976289773961b7e5fb5
	Issue introduced in 5.7 with commit 51c1064e82e77b39a49889287ca50709303e2f26 and fixed in 6.1.127 with commit d38c49f7bdf14381270736299e2ff68ec248a017
	Issue introduced in 5.7 with commit 51c1064e82e77b39a49889287ca50709303e2f26 and fixed in 6.6.31 with commit 95ca7c90eaf5ea8a8460536535101e3e81160e2a
	Issue introduced in 5.7 with commit 51c1064e82e77b39a49889287ca50709303e2f26 and fixed in 6.8.10 with commit ca710b5f40b8b16fdcad50bebd47f50e4c62d239
	Issue introduced in 5.7 with commit 51c1064e82e77b39a49889287ca50709303e2f26 and fixed in 6.9 with commit 02f6b0e1ec7e0e7d059dddc893645816552039da

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-36899
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/gpio/gpiolib-cdev.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/2dfbb920a89bdc58087672ad5325dc6c588b6860
	https://git.kernel.org/stable/c/2d008d4961b039d2edce8976289773961b7e5fb5
	https://git.kernel.org/stable/c/d38c49f7bdf14381270736299e2ff68ec248a017
	https://git.kernel.org/stable/c/95ca7c90eaf5ea8a8460536535101e3e81160e2a
	https://git.kernel.org/stable/c/ca710b5f40b8b16fdcad50bebd47f50e4c62d239
	https://git.kernel.org/stable/c/02f6b0e1ec7e0e7d059dddc893645816552039da