cve/published/2024/CVE-2024-56545.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56545: HID: hyperv: streamline driver probe to avoid devres issues

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 HID: hyperv: streamline driver probe to avoid devres issues

 It was found that unloading 'hid_hyperv' module results in a devres
 complaint:

  ...
  hv_vmbus: unregistering driver hid_hyperv
  ------------[ cut here ]------------
  WARNING: CPU: 2 PID: 3983 at drivers/base/devres.c:691 devres_release_group+0x1f2/0x2c0
  ...
  Call Trace:
   <TASK>
   ? devres_release_group+0x1f2/0x2c0
   ? __warn+0xd1/0x1c0
   ? devres_release_group+0x1f2/0x2c0
   ? report_bug+0x32a/0x3c0
   ? handle_bug+0x53/0xa0
   ? exc_invalid_op+0x18/0x50
   ? asm_exc_invalid_op+0x1a/0x20
   ? devres_release_group+0x1f2/0x2c0
   ? devres_release_group+0x90/0x2c0
   ? rcu_is_watching+0x15/0xb0
   ? __pfx_devres_release_group+0x10/0x10
   hid_device_remove+0xf5/0x220
   device_release_driver_internal+0x371/0x540
   ? klist_put+0xf3/0x170
   bus_remove_device+0x1f1/0x3f0
   device_del+0x33f/0x8c0
   ? __pfx_device_del+0x10/0x10
   ? cleanup_srcu_struct+0x337/0x500
   hid_destroy_device+0xc8/0x130
   mousevsc_remove+0xd2/0x1d0 [hid_hyperv]
   device_release_driver_internal+0x371/0x540
   driver_detach+0xc5/0x180
   bus_remove_driver+0x11e/0x2a0
   ? __mutex_unlock_slowpath+0x160/0x5e0
   vmbus_driver_unregister+0x62/0x2b0 [hv_vmbus]
   ...

 And the issue seems to be that the corresponding devres group is not
 allocated. Normally, devres_open_group() is called from
 __hid_device_probe() but Hyper-V HID driver overrides 'hid_dev->driver'
 with 'mousevsc_hid_driver' stub and basically re-implements
 __hid_device_probe() by calling hid_parse() and hid_hw_start() but not
 devres_open_group(). hid_device_probe() does not call __hid_device_probe()
 for it. Later, when the driver is removed, hid_device_remove() calls
 devres_release_group() as it doesn't check whether hdev->driver was
 initially overridden or not.

 The issue seems to be related to the commit 62c68e7cee33 ("HID: ensure
 timely release of driver-allocated resources") but the commit itself seems
 to be correct.

 Fix the issue by dropping the 'hid_dev->driver' override and using
 hid_register_driver()/hid_unregister_driver() instead. Alternatively, it
 would have been possible to rely on the default handling but
 HID_CONNECT_DEFAULT implies HID_CONNECT_HIDRAW and it doesn't seem to work
 for mousevsc as-is.

 The Linux kernel CVE team has assigned CVE-2024-56545 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.5 with commit 62c68e7cee332e08e625af3bca3318814086490d and fixed in 6.6.64 with commit b03e713a400aeb5f969bab4daf47a7402d0df814
 	Issue introduced in 6.5 with commit 62c68e7cee332e08e625af3bca3318814086490d and fixed in 6.11.11 with commit 19a9457e5e210e408c1f8865b5d93c5a2c90409d
 	Issue introduced in 6.5 with commit 62c68e7cee332e08e625af3bca3318814086490d and fixed in 6.12.2 with commit 3d48d0fbaaa74a04fb9092780a3f83dc4f3f8160
 	Issue introduced in 6.5 with commit 62c68e7cee332e08e625af3bca3318814086490d and fixed in 6.13 with commit 66ef47faa90d838cda131fe1f7776456cc3b59f2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56545
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/hid/hid-hyperv.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b03e713a400aeb5f969bab4daf47a7402d0df814
 	https://git.kernel.org/stable/c/19a9457e5e210e408c1f8865b5d93c5a2c90409d
 	https://git.kernel.org/stable/c/3d48d0fbaaa74a04fb9092780a3f83dc4f3f8160
 	https://git.kernel.org/stable/c/66ef47faa90d838cda131fe1f7776456cc3b59f2
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56545: HID: hyperv: streamline driver probe to avoid devres issues

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	HID: hyperv: streamline driver probe to avoid devres issues

	It was found that unloading 'hid_hyperv' module results in a devres
	complaint:

	...
	hv_vmbus: unregistering driver hid_hyperv
	------------[ cut here ]------------
	WARNING: CPU: 2 PID: 3983 at drivers/base/devres.c:691 devres_release_group+0x1f2/0x2c0
	...
	Call Trace:
	<TASK>
	? devres_release_group+0x1f2/0x2c0
	? __warn+0xd1/0x1c0
	? devres_release_group+0x1f2/0x2c0
	? report_bug+0x32a/0x3c0
	? handle_bug+0x53/0xa0
	? exc_invalid_op+0x18/0x50
	? asm_exc_invalid_op+0x1a/0x20
	? devres_release_group+0x1f2/0x2c0
	? devres_release_group+0x90/0x2c0
	? rcu_is_watching+0x15/0xb0
	? __pfx_devres_release_group+0x10/0x10
	hid_device_remove+0xf5/0x220
	device_release_driver_internal+0x371/0x540
	? klist_put+0xf3/0x170
	bus_remove_device+0x1f1/0x3f0
	device_del+0x33f/0x8c0
	? __pfx_device_del+0x10/0x10
	? cleanup_srcu_struct+0x337/0x500
	hid_destroy_device+0xc8/0x130
	mousevsc_remove+0xd2/0x1d0 [hid_hyperv]
	device_release_driver_internal+0x371/0x540
	driver_detach+0xc5/0x180
	bus_remove_driver+0x11e/0x2a0
	? __mutex_unlock_slowpath+0x160/0x5e0
	vmbus_driver_unregister+0x62/0x2b0 [hv_vmbus]
	...

	And the issue seems to be that the corresponding devres group is not
	allocated. Normally, devres_open_group() is called from
	__hid_device_probe() but Hyper-V HID driver overrides 'hid_dev->driver'
	with 'mousevsc_hid_driver' stub and basically re-implements
	__hid_device_probe() by calling hid_parse() and hid_hw_start() but not
	devres_open_group(). hid_device_probe() does not call __hid_device_probe()
	for it. Later, when the driver is removed, hid_device_remove() calls
	devres_release_group() as it doesn't check whether hdev->driver was
	initially overridden or not.

	The issue seems to be related to the commit 62c68e7cee33 ("HID: ensure
	timely release of driver-allocated resources") but the commit itself seems
	to be correct.

	Fix the issue by dropping the 'hid_dev->driver' override and using
	hid_register_driver()/hid_unregister_driver() instead. Alternatively, it
	would have been possible to rely on the default handling but
	HID_CONNECT_DEFAULT implies HID_CONNECT_HIDRAW and it doesn't seem to work
	for mousevsc as-is.

	The Linux kernel CVE team has assigned CVE-2024-56545 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.5 with commit 62c68e7cee332e08e625af3bca3318814086490d and fixed in 6.6.64 with commit b03e713a400aeb5f969bab4daf47a7402d0df814
	Issue introduced in 6.5 with commit 62c68e7cee332e08e625af3bca3318814086490d and fixed in 6.11.11 with commit 19a9457e5e210e408c1f8865b5d93c5a2c90409d
	Issue introduced in 6.5 with commit 62c68e7cee332e08e625af3bca3318814086490d and fixed in 6.12.2 with commit 3d48d0fbaaa74a04fb9092780a3f83dc4f3f8160
	Issue introduced in 6.5 with commit 62c68e7cee332e08e625af3bca3318814086490d and fixed in 6.13 with commit 66ef47faa90d838cda131fe1f7776456cc3b59f2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56545
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/hid/hid-hyperv.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b03e713a400aeb5f969bab4daf47a7402d0df814
	https://git.kernel.org/stable/c/19a9457e5e210e408c1f8865b5d93c5a2c90409d
	https://git.kernel.org/stable/c/3d48d0fbaaa74a04fb9092780a3f83dc4f3f8160
	https://git.kernel.org/stable/c/66ef47faa90d838cda131fe1f7776456cc3b59f2