ghsa-5822-38r8-r5p2
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
driver core: Fix uevent_show() vs driver detach race
uevent_show() wants to de-reference dev->driver->name. There is no clean way for a device attribute to de-reference dev->driver unless that attribute is defined via (struct device_driver).dev_groups. Instead, the anti-pattern of taking the device_lock() in the attribute handler risks deadlocks with code paths that remove device attributes while holding the lock.
This deadlock is typically invisible to lockdep given the device_lock() is marked lockdep_set_novalidate_class(), but some subsystems allocate a local lockdep key for @dev->mutex to reveal reports of the form:
====================================================== WARNING: possible circular locking dependency detected 6.10.0-rc7+ #275 Tainted: G OE N
modprobe/2374 is trying to acquire lock: ffff8c2270070de0 (kn->active#6){++++}-{0:0}, at: __kernfs_remove+0xde/0x220
but task is already holding lock: ffff8c22016e88f8 (&cxl_root_key){+.+.}-{3:3}, at: device_release_driver_internal+0x39/0x210
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&cxl_root_key){+.+.}-{3:3}: __mutex_lock+0x99/0xc30 uevent_show+0xac/0x130 dev_attr_show+0x18/0x40 sysfs_kf_seq_show+0xac/0xf0 seq_read_iter+0x110/0x450 vfs_read+0x25b/0x340 ksys_read+0x67/0xf0 do_syscall_64+0x75/0x190 entry_SYSCALL_64_after_hwframe+0x76/0x7e
-> #0 (kn->active#6){++++}-{0:0}: __lock_acquire+0x121a/0x1fa0 lock_acquire+0xd6/0x2e0 kernfs_drain+0x1e9/0x200 __kernfs_remove+0xde/0x220 kernfs_remove_by_name_ns+0x5e/0xa0 device_del+0x168/0x410 device_unregister+0x13/0x60 devres_release_all+0xb8/0x110 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1c7/0x210 driver_detach+0x47/0x90 bus_remove_driver+0x6c/0xf0 cxl_acpi_exit+0xc/0x11 [cxl_acpi] __do_sys_delete_module.isra.0+0x181/0x260 do_syscall_64+0x75/0x190 entry_SYSCALL_64_after_hwframe+0x76/0x7e
The observation though is that driver objects are typically much longer lived than device objects. It is reasonable to perform lockless de-reference of a @driver pointer even if it is racing detach from a device. Given the infrequency of driver unregistration, use synchronize_rcu() in module_remove_driver() to close any potential races. It is potentially overkill to suffer synchronize_rcu() just to handle the rare module removal racing uevent_show() event.
Thanks to Tetsuo Handa for the debug analysis of the syzbot report [1].
{
"affected": [],
"aliases": [
"CVE-2024-44952"
],
"database_specific": {
"cwe_ids": [
"CWE-667"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-04T19:15:30Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: Fix uevent_show() vs driver detach race\n\nuevent_show() wants to de-reference dev-\u003edriver-\u003ename. There is no clean\nway for a device attribute to de-reference dev-\u003edriver unless that\nattribute is defined via (struct device_driver).dev_groups. Instead, the\nanti-pattern of taking the device_lock() in the attribute handler risks\ndeadlocks with code paths that remove device attributes while holding\nthe lock.\n\nThis deadlock is typically invisible to lockdep given the device_lock()\nis marked lockdep_set_novalidate_class(), but some subsystems allocate a\nlocal lockdep key for @dev-\u003emutex to reveal reports of the form:\n\n ======================================================\n WARNING: possible circular locking dependency detected\n 6.10.0-rc7+ #275 Tainted: G OE N\n ------------------------------------------------------\n modprobe/2374 is trying to acquire lock:\n ffff8c2270070de0 (kn-\u003eactive#6){++++}-{0:0}, at: __kernfs_remove+0xde/0x220\n\n but task is already holding lock:\n ffff8c22016e88f8 (\u0026cxl_root_key){+.+.}-{3:3}, at: device_release_driver_internal+0x39/0x210\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -\u003e #1 (\u0026cxl_root_key){+.+.}-{3:3}:\n __mutex_lock+0x99/0xc30\n uevent_show+0xac/0x130\n dev_attr_show+0x18/0x40\n sysfs_kf_seq_show+0xac/0xf0\n seq_read_iter+0x110/0x450\n vfs_read+0x25b/0x340\n ksys_read+0x67/0xf0\n do_syscall_64+0x75/0x190\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n -\u003e #0 (kn-\u003eactive#6){++++}-{0:0}:\n __lock_acquire+0x121a/0x1fa0\n lock_acquire+0xd6/0x2e0\n kernfs_drain+0x1e9/0x200\n __kernfs_remove+0xde/0x220\n kernfs_remove_by_name_ns+0x5e/0xa0\n device_del+0x168/0x410\n device_unregister+0x13/0x60\n devres_release_all+0xb8/0x110\n device_unbind_cleanup+0xe/0x70\n device_release_driver_internal+0x1c7/0x210\n driver_detach+0x47/0x90\n bus_remove_driver+0x6c/0xf0\n cxl_acpi_exit+0xc/0x11 [cxl_acpi]\n __do_sys_delete_module.isra.0+0x181/0x260\n do_syscall_64+0x75/0x190\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe observation though is that driver objects are typically much longer\nlived than device objects. It is reasonable to perform lockless\nde-reference of a @driver pointer even if it is racing detach from a\ndevice. Given the infrequency of driver unregistration, use\nsynchronize_rcu() in module_remove_driver() to close any potential\nraces. It is potentially overkill to suffer synchronize_rcu() just to\nhandle the rare module removal racing uevent_show() event.\n\nThanks to Tetsuo Handa for the debug analysis of the syzbot report [1].",
"id": "GHSA-5822-38r8-r5p2",
"modified": "2024-11-08T18:30:43Z",
"published": "2024-09-04T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44952"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/15fffc6a5624b13b428bb1c6e9088e32a55eb82c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1cfc329304617838dc06f021bbbde3bc79cd655e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4749d336170dbb629e515a857e58a82e61c37a9c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/49ea4e0d862632d51667da5e7a9c88a560e9c5a1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4a7c2a8387524942171037e70b80e969c3b5c05b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4d035c743c3e391728a6f81cbf0f7f9ca700cf62"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/92d847a35e1e41bceba13b8ac1f0e1b9dbe30d25"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9c23fc327d6ec67629b4ad323bd64d3834c0417d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cd490a247ddf325325fd0de8898659400c9237ef"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cfc72b86fa20cbf44d2b6cc27b35eb15080232ab"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d4dba9a076838f3d0333a6a66efec2cdda90b2ee"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dd98c9630b7ee273da87e9a244f94ddf947161e2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f098e8fc7227166206256c18d56ab622039108b1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fd28d9589460945985ef5333e9b942c4261f0826"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fe10c8367687c27172a10ba5cc849bd82077bd7d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.