In the Linux kernel, the following vulnerability has been resolved:
drm/drm_file: Fix pid refcounting race
<[email protected]>, Maxime Ripard
<[email protected]>, Thomas Zimmermann <[email protected]>
filp->pid is supposed to be a refcounted pointer; however, before this
patch, drm_file_update_pid() only increments the refcount of a struct
pid after storing a pointer to it in filp->pid and dropping the
dev->filelist_mutex, making the following race possible:
process A process B
========= =========
begin drm_file_update_pid
mutex_lock(&dev->filelist_mutex)
rcu_replace_pointer(filp->pid, <pid B>, 1)
mutex_unlock(&dev->filelist_mutex)
begin drm_file_update_pid
mutex_lock(&dev->filelist_mutex)
rcu_replace_pointer(filp->pid, <pid A>, 1)
mutex_unlock(&dev->filelist_mutex)
get_pid(<pid A>)
synchronize_rcu()
put_pid(<pid B>) *** pid B reaches refcount 0 and is freed here ***
get_pid(<pid B>) *** UAF ***
synchronize_rcu()
put_pid(<pid A>)
As far as I know, this race can only occur with CONFIG_PREEMPT_RCU=y
because it requires RCU to detect a quiescent state in code that is not
explicitly calling into the scheduler.
This race leads to use-after-free of a "struct pid".
It is probably somewhat hard to hit because process A has to pass
through a synchronize_rcu() operation while process B is between
mutex_unlock() and get_pid().
Fix it by ensuring that by the time a pointer to the current task's pid
is stored in the file, an extra reference to the pid has been taken.
This fix also removes the condition for synchronize_rcu(); I think
that optimization is unnecessary complexity, since in that case we
would usually have bailed out on the lockless check above.
Metrics
Affected Vendors & Products
References
History
Fri, 20 Dec 2024 08:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Wed, 13 Nov 2024 02:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Redhat
Redhat enterprise Linux |
|
CPEs | cpe:/a:redhat:enterprise_linux:9 cpe:/o:redhat:enterprise_linux:9 |
|
Vendors & Products |
Redhat
Redhat enterprise Linux |
Thu, 22 Aug 2024 14:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Linux
Linux linux Kernel |
|
Weaknesses | CWE-416 | |
CPEs | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.10:rc4:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.10:rc5:*:*:*:*:*:* |
|
Vendors & Products |
Linux
Linux linux Kernel |
|
Metrics |
cvssV3_1
|
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Linux
Published: 2024-07-06T09:25:21.514Z
Updated: 2024-12-19T09:07:07.027Z
Reserved: 2024-06-25T14:23:23.747Z
Link: CVE-2024-39486
Vulnrichment
Updated: 2024-08-02T04:26:15.689Z
NVD
Status : Modified
Published: 2024-07-06T10:15:03.393
Modified: 2024-11-21T09:27:47.623
Link: CVE-2024-39486
Redhat