cve/published/2024/CVE-2024-39486.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-39486: drm/drm_file: Fix pid refcounting race

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 drm/drm_file: Fix pid refcounting race

 <maarten.lankhorst@linux.intel.com>, Maxime Ripard
 <mripard@kernel.org>, Thomas Zimmermann <tzimmermann@suse.de>

 filp->pid is supposed to be a refcounted pointer; however, before this
 patch, drm_file_update_pid() only increments the refcount of a struct
 pid after storing a pointer to it in filp->pid and dropping the
 dev->filelist_mutex, making the following race possible:

 process A               process B
 =========               =========
                         begin drm_file_update_pid
                         mutex_lock(&dev->filelist_mutex)
                         rcu_replace_pointer(filp->pid, <pid B>, 1)
                         mutex_unlock(&dev->filelist_mutex)
 begin drm_file_update_pid
 mutex_lock(&dev->filelist_mutex)
 rcu_replace_pointer(filp->pid, <pid A>, 1)
 mutex_unlock(&dev->filelist_mutex)
 get_pid(<pid A>)
 synchronize_rcu()
 put_pid(<pid B>)   *** pid B reaches refcount 0 and is freed here ***
                         get_pid(<pid B>)   *** UAF ***
                         synchronize_rcu()
                         put_pid(<pid A>)

 As far as I know, this race can only occur with CONFIG_PREEMPT_RCU=y
 because it requires RCU to detect a quiescent state in code that is not
 explicitly calling into the scheduler.

 This race leads to use-after-free of a "struct pid".
 It is probably somewhat hard to hit because process A has to pass
 through a synchronize_rcu() operation while process B is between
 mutex_unlock() and get_pid().

 Fix it by ensuring that by the time a pointer to the current task's pid
 is stored in the file, an extra reference to the pid has been taken.

 This fix also removes the condition for synchronize_rcu(); I think
 that optimization is unnecessary complexity, since in that case we
 would usually have bailed out on the lockless check above.

 The Linux kernel CVE team has assigned CVE-2024-39486 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.6.9 with commit 031ddd28008971cce0b5626379b910d0a05fb4dd and fixed in 6.6.37 with commit 16682588ead4a593cf1aebb33b36df4d1e9e4ffa
 	Issue introduced in 6.7 with commit 1c7a387ffef894b1ab3942f0482dac7a6e0a909c and fixed in 6.9.8 with commit 0acce2a5c619ef1abdee783d7fea5eac78ce4844
 	Issue introduced in 6.7 with commit 1c7a387ffef894b1ab3942f0482dac7a6e0a909c and fixed in 6.10 with commit 4f2a129b33a2054e62273edd5a051c34c08d96e9

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-39486
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/gpu/drm/drm_file.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/16682588ead4a593cf1aebb33b36df4d1e9e4ffa
 	https://git.kernel.org/stable/c/0acce2a5c619ef1abdee783d7fea5eac78ce4844
 	https://git.kernel.org/stable/c/4f2a129b33a2054e62273edd5a051c34c08d96e9
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-39486: drm/drm_file: Fix pid refcounting race

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	drm/drm_file: Fix pid refcounting race

	<maarten.lankhorst@linux.intel.com>, Maxime Ripard
	<mripard@kernel.org>, Thomas Zimmermann <tzimmermann@suse.de>

	filp->pid is supposed to be a refcounted pointer; however, before this
	patch, drm_file_update_pid() only increments the refcount of a struct
	pid after storing a pointer to it in filp->pid and dropping the
	dev->filelist_mutex, making the following race possible:

	process A process B
	========= =========
	begin drm_file_update_pid
	mutex_lock(&dev->filelist_mutex)
	rcu_replace_pointer(filp->pid, <pid B>, 1)
	mutex_unlock(&dev->filelist_mutex)
	begin drm_file_update_pid
	mutex_lock(&dev->filelist_mutex)
	rcu_replace_pointer(filp->pid, <pid A>, 1)
	mutex_unlock(&dev->filelist_mutex)
	get_pid(<pid A>)
	synchronize_rcu()
	put_pid(<pid B>) * pid B reaches refcount 0 and is freed here *
	get_pid(<pid B>) * UAF *
	synchronize_rcu()
	put_pid(<pid A>)

	As far as I know, this race can only occur with CONFIG_PREEMPT_RCU=y
	because it requires RCU to detect a quiescent state in code that is not
	explicitly calling into the scheduler.

	This race leads to use-after-free of a "struct pid".
	It is probably somewhat hard to hit because process A has to pass
	through a synchronize_rcu() operation while process B is between
	mutex_unlock() and get_pid().

	Fix it by ensuring that by the time a pointer to the current task's pid
	is stored in the file, an extra reference to the pid has been taken.

	This fix also removes the condition for synchronize_rcu(); I think
	that optimization is unnecessary complexity, since in that case we
	would usually have bailed out on the lockless check above.

	The Linux kernel CVE team has assigned CVE-2024-39486 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.6.9 with commit 031ddd28008971cce0b5626379b910d0a05fb4dd and fixed in 6.6.37 with commit 16682588ead4a593cf1aebb33b36df4d1e9e4ffa
	Issue introduced in 6.7 with commit 1c7a387ffef894b1ab3942f0482dac7a6e0a909c and fixed in 6.9.8 with commit 0acce2a5c619ef1abdee783d7fea5eac78ce4844
	Issue introduced in 6.7 with commit 1c7a387ffef894b1ab3942f0482dac7a6e0a909c and fixed in 6.10 with commit 4f2a129b33a2054e62273edd5a051c34c08d96e9

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-39486
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/gpu/drm/drm_file.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/16682588ead4a593cf1aebb33b36df4d1e9e4ffa
	https://git.kernel.org/stable/c/0acce2a5c619ef1abdee783d7fea5eac78ce4844
	https://git.kernel.org/stable/c/4f2a129b33a2054e62273edd5a051c34c08d96e9