CVE-2024-39479

In the Linux kernel, the following vulnerability has been resolved: drm/i915/hwmon: Get rid of devm When both hwmon and hwmon drvdata (on which hwmon depends) are device managed resources, the expectation, on device unbind, is that hwmon will be released before drvdata. However, in i915 there are two separate code paths, which both release either drvdata or hwmon and either can be released before the other. These code paths (for device unbind) are as follows (see also the bug referenced below): Call Trace: release_nodes+0x11/0x70 devres_release_group+0xb2/0x110 component_unbind_all+0x8d/0xa0 component_del+0xa5/0x140 intel_pxp_tee_component_fini+0x29/0x40 [i915] intel_pxp_fini+0x33/0x80 [i915] i915_driver_remove+0x4c/0x120 [i915] i915_pci_remove+0x19/0x30 [i915] pci_device_remove+0x32/0xa0 device_release_driver_internal+0x19c/0x200 unbind_store+0x9c/0xb0 and Call Trace: release_nodes+0x11/0x70 devres_release_all+0x8a/0xc0 device_unbind_cleanup+0x9/0x70 device_release_driver_internal+0x1c1/0x200 unbind_store+0x9c/0xb0 This means that in i915, if use devm, we cannot gurantee that hwmon will always be released before drvdata. Which means that we have a uaf if hwmon sysfs is accessed when drvdata has been released but hwmon hasn't. The only way out of this seems to be do get rid of devm_ and release/free everything explicitly during device unbind. v2: Change commit message and other minor code changes v3: Cleanup from i915_hwmon_register on error (Armin Wolf) v4: Eliminate potential static analyzer warning (Rodrigo) Eliminate fetch_and_zero (Jani) v5: Restore previous logic for ddat_gt->hwmon_dev error return (Andi)
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:27

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/5bc9de065b8bb9b8dd8799ecb4592d0403b54281 - Mailing List, Patch () https://git.kernel.org/stable/c/5bc9de065b8bb9b8dd8799ecb4592d0403b54281 - Mailing List, Patch
References () https://git.kernel.org/stable/c/ce5a22d22db691d14516c3b8fdbf69139eb2ea8f - Mailing List, Patch () https://git.kernel.org/stable/c/ce5a22d22db691d14516c3b8fdbf69139eb2ea8f - Mailing List, Patch
References () https://git.kernel.org/stable/c/cfa73607eb21a4ce1d6294a2c5733628897b48a2 - Mailing List, Patch () https://git.kernel.org/stable/c/cfa73607eb21a4ce1d6294a2c5733628897b48a2 - Mailing List, Patch

08 Jul 2024, 18:01

Type Values Removed Values Added
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
CWE NVD-CWE-noinfo
First Time Linux
Linux linux Kernel
References () https://git.kernel.org/stable/c/5bc9de065b8bb9b8dd8799ecb4592d0403b54281 - () https://git.kernel.org/stable/c/5bc9de065b8bb9b8dd8799ecb4592d0403b54281 - Mailing List, Patch
References () https://git.kernel.org/stable/c/ce5a22d22db691d14516c3b8fdbf69139eb2ea8f - () https://git.kernel.org/stable/c/ce5a22d22db691d14516c3b8fdbf69139eb2ea8f - Mailing List, Patch
References () https://git.kernel.org/stable/c/cfa73607eb21a4ce1d6294a2c5733628897b48a2 - () https://git.kernel.org/stable/c/cfa73607eb21a4ce1d6294a2c5733628897b48a2 - Mailing List, Patch

08 Jul 2024, 14:18

Type Values Removed Values Added
CWE CWE-400
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8

05 Jul 2024, 12:55

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/i915/hwmon: deshacerse de devm Cuando tanto hwmon como hwmon drvdata (del cual depende hwmon) son recursos administrados por el dispositivo, la expectativa, al desvincular el dispositivo, es que hwmon publicarse antes que drvdata. Sin embargo, en i915 hay dos rutas de código independientes, que liberan drvdata o hwmon y cualquiera de ellas puede publicarse antes que la otra. Estas rutas de código (para desvincular el dispositivo) son las siguientes (consulte también el error al que se hace referencia a continuación): Seguimiento de llamadas: release_nodes+0x11/0x70 devres_release_group+0xb2/0x110 componente_unbind_all+0x8d/0xa0 componente_del+0xa5/0x140 intel_pxp_tee_component_fini+0x29/0x40 [i915 ] intel_pxp_fini+0x33/0x80 [i915] i915_driver_remove+0x4c/0x120 [i915] i915_pci_remove+0x19/0x30 [i915] pci_device_remove+0x32/0xa0 dispositivo_release_driver_internal+0x19c/0x200 store+0x9c/0xb0 y seguimiento de llamadas: release_nodes+0x11/0x70 devres_release_all +0x8a/0xc0 device_unbind_cleanup+0x9/0x70 device_release_driver_internal+0x1c1/0x200 unbind_store+0x9c/0xb0 Esto significa que en i915, si usa devm, no podemos garantizar que hwmon siempre se publicará antes que drvdata. Lo que significa que tenemos un uaf si se accede a hwmon sysfs cuando drvdata se lanzó pero hwmon no. La única forma de solucionar esto parece ser deshacerse de devm_ y liberar/liberar todo explícitamente durante la desvinculación del dispositivo. v2: Cambiar mensaje de confirmación y otros cambios menores de código v3: Limpieza de i915_hwmon_register en caso de error (Armin Wolf) v4: Eliminar posible advertencia del analizador estático (Rodrigo) Eliminar fetch_and_zero (Jani) v5: Restaurar la lógica anterior para el retorno de error ddat_gt->hwmon_dev (Andi )

05 Jul 2024, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-05 07:15

Updated : 2024-11-21 09:27


NVD link : CVE-2024-39479

Mitre link : CVE-2024-39479

CVE.ORG link : CVE-2024-39479


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
NVD-CWE-noinfo CWE-400

Uncontrolled Resource Consumption