CVE Details
Description
In the Linux kernel, the following vulnerability has been resolved:\ndrm/drm_file: Fix pid refcounting race\n, Maxime Ripard\n, Thomas Zimmermann \nfilp->pid is supposed to be a refcounted pointer; however, before this\npatch, drm_file_update_pid() only increments the refcount of a struct\npid after storing a pointer to it in filp->pid and dropping the\ndev->filelist_mutex, making the following race possible:\nprocess A process B\n========= =========\nbegin drm_file_update_pid\nmutex_lock(&dev->filelist_mutex)\nrcu_replace_pointer(filp->pid, , 1)\nmutex_unlock(&dev->filelist_mutex)\nbegin drm_file_update_pid\nmutex_lock(&dev->filelist_mutex)\nrcu_replace_pointer(filp->pid, , 1)\nmutex_unlock(&dev->filelist_mutex)\nget_pid()\nsynchronize_rcu()\nput_pid() *** pid B reaches refcount 0 and is freed here ***\nget_pid() *** UAF ***\nsynchronize_rcu()\nput_pid()\nAs far as I know, this race can only occur with CONFIG_PREEMPT_RCU=y\nbecause it requires RCU to detect a quiescent state in code that is not\nexplicitly calling into the scheduler.\nThis race leads to use-after-free of a 'struct pid'.\nIt is probably somewhat hard to hit because process A has to pass\nthrough a synchronize_rcu() operation while process B is between\nmutex_unlock() and get_pid().\nFix it by ensuring that by the time a pointer to the current task's pid\nis stored in the file, an extra reference to the pid has been taken.\nThis fix also removes the condition for synchronize_rcu(); I think\nthat optimization is unnecessary complexity, since in that case we\nwould usually have bailed out on the lockless check above.
See more information about CVE-2024-39486 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS metrics and score provided are preliminary and subject to review.
CVSS v3 metrics
| Base Score: | 5.5 |
| Vector String: | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Version: | 3.1 |
| Attack Vector: | Local |
| Attack Complexity: | Low |
| Privileges Required: | Low |
| User Interaction: | None |
| Scope: | Unchanged |
| Confidentiality Impact: | None |
| Integrity Impact: | None |
| Availability Impact: | High |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 9 (kernel) | ELSA-2024-9315 | 2024-11-14 |
