CVE-2024-44952

CVE Details

Release Date:2024-09-04

Description


In the Linux kernel, the following vulnerability has been resolved:\ndriver core: Fix uevent_show() vs driver detach race\nuevent_show() wants to de-reference dev->driver->name. There is no clean\nway for a device attribute to de-reference dev->driver unless that\nattribute is defined via (struct device_driver).dev_groups. Instead, the\nanti-pattern of taking the device_lock() in the attribute handler risks\ndeadlocks with code paths that remove device attributes while holding\nthe lock.\nThis deadlock is typically invisible to lockdep given the device_lock()\nis marked lockdep_set_novalidate_class(), but some subsystems allocate a\nlocal lockdep key for @dev->mutex to reveal reports of the form:\n======================================================\nWARNING: possible circular locking dependency detected\n6.10.0-rc7+ #275 Tainted: G OE N\n------------------------------------------------------\nmodprobe/2374 is trying to acquire lock:\nffff8c2270070de0 (kn->active#6){++++}-{0:0}, at: __kernfs_remove+0xde/0x220\nbut task is already holding lock:\nffff8c22016e88f8 (&cxl_root_key){+.+.}-{3:3}, at: device_release_driver_internal+0x39/0x210\nwhich lock already depends on the new lock.\nthe existing dependency chain (in reverse order) is:\n-> #1 (&cxl_root_key){+.+.}-{3:3}:\n__mutex_lock+0x99/0xc30\nuevent_show+0xac/0x130\ndev_attr_show+0x18/0x40\nsysfs_kf_seq_show+0xac/0xf0\nseq_read_iter+0x110/0x450\nvfs_read+0x25b/0x340\nksys_read+0x67/0xf0\ndo_syscall_64+0x75/0x190\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n-> #0 (kn->active#6){++++}-{0:0}:\n__lock_acquire+0x121a/0x1fa0\nlock_acquire+0xd6/0x2e0\nkernfs_drain+0x1e9/0x200\n__kernfs_remove+0xde/0x220\nkernfs_remove_by_name_ns+0x5e/0xa0\ndevice_del+0x168/0x410\ndevice_unregister+0x13/0x60\ndevres_release_all+0xb8/0x110\ndevice_unbind_cleanup+0xe/0x70\ndevice_release_driver_internal+0x1c7/0x210\ndriver_detach+0x47/0x90\nbus_remove_driver+0x6c/0xf0\ncxl_acpi_exit+0xc/0x11 [cxl_acpi]\n__do_sys_delete_module.isra.0+0x181/0x260\ndo_syscall_64+0x75/0x190\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nThe observation though is that driver objects are typically much longer\nlived than device objects. It is reasonable to perform lockless\nde-reference of a @driver pointer even if it is racing detach from a\ndevice. Given the infrequency of driver unregistration, use\nsynchronize_rcu() in module_remove_driver() to close any potential\nraces. It is potentially overkill to suffer synchronize_rcu() just to\nhandle the rare module removal racing uevent_show() event.\nThanks to Tetsuo Handa for the debug analysis of the syzbot report [1].

See more information about CVE-2024-44952 from MITRE CVE dictionary and NIST NVD


CVSS Scoring


NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.

Base Score: 5.5 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector: Local network Attack Complexity: Low
Privileges Required: Low User Interaction: None
Scope: Unchanged Confidentiality Impact: None
Integrity Impact: None Availability Impact: High

Errata information


PlatformErrataRelease Date
Oracle Linux version 7 (kernel-uek)ELSA-2024-127792024-10-11
Oracle Linux version 8 (kernel-uek)ELSA-2024-126822024-09-23
Oracle Linux version 9 (kernel-uek)ELSA-2024-126822024-09-23


This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:

software.hardware.complete