cve/published/2024/CVE-2024-56610.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56610: kcsan: Turn report_filterlist_lock into a raw_spinlock

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 kcsan: Turn report_filterlist_lock into a raw_spinlock

 Ran Xiaokai reports that with a KCSAN-enabled PREEMPT_RT kernel, we can see
 splats like:

 | BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
 | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1
 | preempt_count: 10002, expected: 0
 | RCU nest depth: 0, expected: 0
 | no locks held by swapper/1/0.
 | irq event stamp: 156674
 | hardirqs last  enabled at (156673): [<ffffffff81130bd9>] do_idle+0x1f9/0x240
 | hardirqs last disabled at (156674): [<ffffffff82254f84>] sysvec_apic_timer_interrupt+0x14/0xc0
 | softirqs last  enabled at (0): [<ffffffff81099f47>] copy_process+0xfc7/0x4b60
 | softirqs last disabled at (0): [<0000000000000000>] 0x0
 | Preemption disabled at:
 | [<ffffffff814a3e2a>] paint_ptr+0x2a/0x90
 | CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.11.0+ #3
 | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
 | Call Trace:
 |  <IRQ>
 |  dump_stack_lvl+0x7e/0xc0
 |  dump_stack+0x1d/0x30
 |  __might_resched+0x1a2/0x270
 |  rt_spin_lock+0x68/0x170
 |  kcsan_skip_report_debugfs+0x43/0xe0
 |  print_report+0xb5/0x590
 |  kcsan_report_known_origin+0x1b1/0x1d0
 |  kcsan_setup_watchpoint+0x348/0x650
 |  __tsan_unaligned_write1+0x16d/0x1d0
 |  hrtimer_interrupt+0x3d6/0x430
 |  __sysvec_apic_timer_interrupt+0xe8/0x3a0
 |  sysvec_apic_timer_interrupt+0x97/0xc0
 |  </IRQ>

 On a detected data race, KCSAN's reporting logic checks if it should
 filter the report. That list is protected by the report_filterlist_lock
 *non-raw* spinlock which may sleep on RT kernels.

 Since KCSAN may report data races in any context, convert it to a
 raw_spinlock.

 This requires being careful about when to allocate memory for the filter
 list itself which can be done via KCSAN's debugfs interface. Concurrent
 modification of the filter list via debugfs should be rare: the chosen
 strategy is to optimistically pre-allocate memory before the critical
 section and discard if unused.

 The Linux kernel CVE team has assigned CVE-2024-56610 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.8 with commit dfd402a4c4baae42398ce9180ff424d589b8bffc and fixed in 5.10.231 with commit f4f2ef66d288ea796ddb8ecbdc2df074ab2d5f4d
 	Issue introduced in 5.8 with commit dfd402a4c4baae42398ce9180ff424d589b8bffc and fixed in 5.15.174 with commit ea6588abcc15d68fdeae777ffe3dd74c02eab407
 	Issue introduced in 5.8 with commit dfd402a4c4baae42398ce9180ff424d589b8bffc and fixed in 6.1.120 with commit 0ab4951c1473c7d1ceaf1232eb927109cd1c4859
 	Issue introduced in 5.8 with commit dfd402a4c4baae42398ce9180ff424d589b8bffc and fixed in 6.6.66 with commit dca4e74a918586913d251c0b359e8cc96a3883ea
 	Issue introduced in 5.8 with commit dfd402a4c4baae42398ce9180ff424d589b8bffc and fixed in 6.12.5 with commit 889a0d3a35fdedba1c5dcb6410c95c32421680ec
 	Issue introduced in 5.8 with commit dfd402a4c4baae42398ce9180ff424d589b8bffc and fixed in 6.13 with commit 59458fa4ddb47e7891c61b4a928d13d5f5b00aa0

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56610
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/kcsan/debugfs.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f4f2ef66d288ea796ddb8ecbdc2df074ab2d5f4d
 	https://git.kernel.org/stable/c/ea6588abcc15d68fdeae777ffe3dd74c02eab407
 	https://git.kernel.org/stable/c/0ab4951c1473c7d1ceaf1232eb927109cd1c4859
 	https://git.kernel.org/stable/c/dca4e74a918586913d251c0b359e8cc96a3883ea
 	https://git.kernel.org/stable/c/889a0d3a35fdedba1c5dcb6410c95c32421680ec
 	https://git.kernel.org/stable/c/59458fa4ddb47e7891c61b4a928d13d5f5b00aa0
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56610: kcsan: Turn report_filterlist_lock into a raw_spinlock

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	kcsan: Turn report_filterlist_lock into a raw_spinlock

	Ran Xiaokai reports that with a KCSAN-enabled PREEMPT_RT kernel, we can see
	splats like:

	\| BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
	\| in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1
	\| preempt_count: 10002, expected: 0
	\| RCU nest depth: 0, expected: 0
	\| no locks held by swapper/1/0.
	\| irq event stamp: 156674
	\| hardirqs last enabled at (156673): [<ffffffff81130bd9>] do_idle+0x1f9/0x240
	\| hardirqs last disabled at (156674): [<ffffffff82254f84>] sysvec_apic_timer_interrupt+0x14/0xc0
	\| softirqs last enabled at (0): [<ffffffff81099f47>] copy_process+0xfc7/0x4b60
	\| softirqs last disabled at (0): [<0000000000000000>] 0x0
	\| Preemption disabled at:
	\| [<ffffffff814a3e2a>] paint_ptr+0x2a/0x90
	\| CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.11.0+ #3
	\| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
	\| Call Trace:
	\| <IRQ>
	\| dump_stack_lvl+0x7e/0xc0
	\| dump_stack+0x1d/0x30
	\| __might_resched+0x1a2/0x270
	\| rt_spin_lock+0x68/0x170
	\| kcsan_skip_report_debugfs+0x43/0xe0
	\| print_report+0xb5/0x590
	\| kcsan_report_known_origin+0x1b1/0x1d0
	\| kcsan_setup_watchpoint+0x348/0x650
	\| __tsan_unaligned_write1+0x16d/0x1d0
	\| hrtimer_interrupt+0x3d6/0x430
	\| __sysvec_apic_timer_interrupt+0xe8/0x3a0
	\| sysvec_apic_timer_interrupt+0x97/0xc0
	\| </IRQ>

	On a detected data race, KCSAN's reporting logic checks if it should
	filter the report. That list is protected by the report_filterlist_lock
	non-raw spinlock which may sleep on RT kernels.

	Since KCSAN may report data races in any context, convert it to a
	raw_spinlock.

	This requires being careful about when to allocate memory for the filter
	list itself which can be done via KCSAN's debugfs interface. Concurrent
	modification of the filter list via debugfs should be rare: the chosen
	strategy is to optimistically pre-allocate memory before the critical
	section and discard if unused.

	The Linux kernel CVE team has assigned CVE-2024-56610 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.8 with commit dfd402a4c4baae42398ce9180ff424d589b8bffc and fixed in 5.10.231 with commit f4f2ef66d288ea796ddb8ecbdc2df074ab2d5f4d
	Issue introduced in 5.8 with commit dfd402a4c4baae42398ce9180ff424d589b8bffc and fixed in 5.15.174 with commit ea6588abcc15d68fdeae777ffe3dd74c02eab407
	Issue introduced in 5.8 with commit dfd402a4c4baae42398ce9180ff424d589b8bffc and fixed in 6.1.120 with commit 0ab4951c1473c7d1ceaf1232eb927109cd1c4859
	Issue introduced in 5.8 with commit dfd402a4c4baae42398ce9180ff424d589b8bffc and fixed in 6.6.66 with commit dca4e74a918586913d251c0b359e8cc96a3883ea
	Issue introduced in 5.8 with commit dfd402a4c4baae42398ce9180ff424d589b8bffc and fixed in 6.12.5 with commit 889a0d3a35fdedba1c5dcb6410c95c32421680ec
	Issue introduced in 5.8 with commit dfd402a4c4baae42398ce9180ff424d589b8bffc and fixed in 6.13 with commit 59458fa4ddb47e7891c61b4a928d13d5f5b00aa0

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56610
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/kcsan/debugfs.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f4f2ef66d288ea796ddb8ecbdc2df074ab2d5f4d
	https://git.kernel.org/stable/c/ea6588abcc15d68fdeae777ffe3dd74c02eab407
	https://git.kernel.org/stable/c/0ab4951c1473c7d1ceaf1232eb927109cd1c4859
	https://git.kernel.org/stable/c/dca4e74a918586913d251c0b359e8cc96a3883ea
	https://git.kernel.org/stable/c/889a0d3a35fdedba1c5dcb6410c95c32421680ec
	https://git.kernel.org/stable/c/59458fa4ddb47e7891c61b4a928d13d5f5b00aa0