cve/published/2024/CVE-2024-39479.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-39479: drm/i915/hwmon: Get rid of devm

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 drm/i915/hwmon: Get rid of devm

 When both hwmon and hwmon drvdata (on which hwmon depends) are device
 managed resources, the expectation, on device unbind, is that hwmon will be
 released before drvdata. However, in i915 there are two separate code
 paths, which both release either drvdata or hwmon and either can be
 released before the other. These code paths (for device unbind) are as
 follows (see also the bug referenced below):

 Call Trace:
 release_nodes+0x11/0x70
 devres_release_group+0xb2/0x110
 component_unbind_all+0x8d/0xa0
 component_del+0xa5/0x140
 intel_pxp_tee_component_fini+0x29/0x40 [i915]
 intel_pxp_fini+0x33/0x80 [i915]
 i915_driver_remove+0x4c/0x120 [i915]
 i915_pci_remove+0x19/0x30 [i915]
 pci_device_remove+0x32/0xa0
 device_release_driver_internal+0x19c/0x200
 unbind_store+0x9c/0xb0

 and

 Call Trace:
 release_nodes+0x11/0x70
 devres_release_all+0x8a/0xc0
 device_unbind_cleanup+0x9/0x70
 device_release_driver_internal+0x1c1/0x200
 unbind_store+0x9c/0xb0

 This means that in i915, if use devm, we cannot gurantee that hwmon will
 always be released before drvdata. Which means that we have a uaf if hwmon
 sysfs is accessed when drvdata has been released but hwmon hasn't.

 The only way out of this seems to be do get rid of devm_ and release/free
 everything explicitly during device unbind.

 v2: Change commit message and other minor code changes
 v3: Cleanup from i915_hwmon_register on error (Armin Wolf)
 v4: Eliminate potential static analyzer warning (Rodrigo)
     Eliminate fetch_and_zero (Jani)
 v5: Restore previous logic for ddat_gt->hwmon_dev error return (Andi)

 The Linux kernel CVE team has assigned CVE-2024-39479 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.6.34 with commit cfa73607eb21a4ce1d6294a2c5733628897b48a2
 	Fixed in 6.9.5 with commit ce5a22d22db691d14516c3b8fdbf69139eb2ea8f
 	Fixed in 6.10 with commit 5bc9de065b8bb9b8dd8799ecb4592d0403b54281

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-39479
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/gpu/drm/i915/i915_hwmon.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/cfa73607eb21a4ce1d6294a2c5733628897b48a2
 	https://git.kernel.org/stable/c/ce5a22d22db691d14516c3b8fdbf69139eb2ea8f
 	https://git.kernel.org/stable/c/5bc9de065b8bb9b8dd8799ecb4592d0403b54281
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-39479: drm/i915/hwmon: Get rid of devm

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	drm/i915/hwmon: Get rid of devm

	When both hwmon and hwmon drvdata (on which hwmon depends) are device
	managed resources, the expectation, on device unbind, is that hwmon will be
	released before drvdata. However, in i915 there are two separate code
	paths, which both release either drvdata or hwmon and either can be
	released before the other. These code paths (for device unbind) are as
	follows (see also the bug referenced below):

	Call Trace:
	release_nodes+0x11/0x70
	devres_release_group+0xb2/0x110
	component_unbind_all+0x8d/0xa0
	component_del+0xa5/0x140
	intel_pxp_tee_component_fini+0x29/0x40 [i915]
	intel_pxp_fini+0x33/0x80 [i915]
	i915_driver_remove+0x4c/0x120 [i915]
	i915_pci_remove+0x19/0x30 [i915]
	pci_device_remove+0x32/0xa0
	device_release_driver_internal+0x19c/0x200
	unbind_store+0x9c/0xb0

	and

	Call Trace:
	release_nodes+0x11/0x70
	devres_release_all+0x8a/0xc0
	device_unbind_cleanup+0x9/0x70
	device_release_driver_internal+0x1c1/0x200
	unbind_store+0x9c/0xb0

	This means that in i915, if use devm, we cannot gurantee that hwmon will
	always be released before drvdata. Which means that we have a uaf if hwmon
	sysfs is accessed when drvdata has been released but hwmon hasn't.

	The only way out of this seems to be do get rid of devm_ and release/free
	everything explicitly during device unbind.

	v2: Change commit message and other minor code changes
	v3: Cleanup from i915_hwmon_register on error (Armin Wolf)
	v4: Eliminate potential static analyzer warning (Rodrigo)
	Eliminate fetch_and_zero (Jani)
	v5: Restore previous logic for ddat_gt->hwmon_dev error return (Andi)

	The Linux kernel CVE team has assigned CVE-2024-39479 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.6.34 with commit cfa73607eb21a4ce1d6294a2c5733628897b48a2
	Fixed in 6.9.5 with commit ce5a22d22db691d14516c3b8fdbf69139eb2ea8f
	Fixed in 6.10 with commit 5bc9de065b8bb9b8dd8799ecb4592d0403b54281

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-39479
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/gpu/drm/i915/i915_hwmon.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/cfa73607eb21a4ce1d6294a2c5733628897b48a2
	https://git.kernel.org/stable/c/ce5a22d22db691d14516c3b8fdbf69139eb2ea8f
	https://git.kernel.org/stable/c/5bc9de065b8bb9b8dd8799ecb4592d0403b54281