CVE-2024-27005
interconnect: Don't access req_list while it's being manipulated
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
interconnect: Don't access req_list while it's being manipulated
The icc_lock mutex was split into separate icc_lock and icc_bw_lock
mutexes in [1] to avoid lockdep splats. However, this didn't adequately
protect access to icc_node::req_list.
The icc_set_bw() function will eventually iterate over req_list while
only holding icc_bw_lock, but req_list can be modified while only
holding icc_lock. This causes races between icc_set_bw(), of_icc_get(),
and icc_put().
Example A:
CPU0 CPU1
---- ----
icc_set_bw(path_a)
mutex_lock(&icc_bw_lock);
icc_put(path_b)
mutex_lock(&icc_lock);
aggregate_requests()
hlist_for_each_entry(r, ...
hlist_del(...
<r = invalid pointer>
Example B:
CPU0 CPU1
---- ----
icc_set_bw(path_a)
mutex_lock(&icc_bw_lock);
path_b = of_icc_get()
of_icc_get_by_index()
mutex_lock(&icc_lock);
path_find()
path_init()
aggregate_requests()
hlist_for_each_entry(r, ...
hlist_add_head(...
<r = invalid pointer>
Fix this by ensuring icc_bw_lock is always held before manipulating
icc_node::req_list. The additional places icc_bw_lock is held don't
perform any memory allocations, so we should still be safe from the
original lockdep splats that motivated the separate locks.
[1] commit af42269c3523 ("interconnect: Fix locking for runpm vs reclaim")
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: interconexión: no acceder a req_list mientras se está manipulando. El mutex icc_lock se dividió en mutex icc_lock e icc_bw_lock separados en [1] para evitar símbolos de bloqueo. Sin embargo, esto no protegió adecuadamente el acceso a icc_node::req_list. La función icc_set_bw() eventualmente iterará sobre req_list mientras solo mantiene icc_bw_lock, pero req_list se puede modificar mientras solo mantiene icc_lock. Esto provoca ejecucións entre icc_set_bw(), of_icc_get() e icc_put(). Ejemplo A: CPU0 CPU1 ---- ---- icc_set_bw(path_a) mutex_lock(&icc_bw_lock); icc_put(ruta_b) mutex_lock(&icc_lock); agregado_requests() hlist_for_each_entry(r, ... hlist_del(... Ejemplo B: CPU0 CPU1 ---- ---- icc_set_bw(path_a) mutex_lock(&icc_bw_lock); path_b = of_icc_get() of_icc_get_by_index( ) mutex_lock(&icc_lock); path_find() path_init() agregado_requests() hlist_for_each_entry(r, ... hlist_add_head(... Solucione este problema asegurándose de que icc_bw_lock siempre se mantenga antes de manipular icc_node::req_list. El adicional Los lugares donde se mantiene icc_bw_lock no realizan ninguna asignación de memoria, por lo que aún deberíamos estar a salvo de los símbolos de bloqueo originales que motivaron los bloqueos separados [1] commit af42269c3523 ("interconexión: arreglar el bloqueo para runpm vs reclaim")
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-19 CVE Reserved
- 2024-05-01 CVE Published
- 2024-05-13 EPSS Updated
- 2024-12-19 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (9)
URL | Tag | Source |
---|---|---|
https://git.kernel.org/stable/c/af42269c3523492d71ebbe11fefae2653e9cdc78 | Vuln. Introduced | |
https://git.kernel.org/stable/c/9be2957f014d91088db1eb5dd09d9a03d7184dce | Vuln. Introduced | |
https://git.kernel.org/stable/c/fe549d8e976300d0dd75bd904eb216bed8b145e0 | Vuln. Introduced | |
https://git.kernel.org/stable/c/ee42bfc791aa3cd78e29046f26a09d189beb3efb | Vuln. Introduced | |
https://git.kernel.org/stable/c/19ec82b3cad1abef2a929262b8c1528f4e0c192d | Vuln. Introduced | |
https://git.kernel.org/stable/c/2f3a124696d43de3c837f87a9f767c56ee86cf2a | Vuln. Introduced |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.6 < 6.6.29 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.6.29" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.6 < 6.8.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.8.8" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.6 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.9" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 5.15.133 Search vendor "Linux" for product "Linux Kernel" and version "5.15.133" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 5.15.151 Search vendor "Linux" for product "Linux Kernel" and version "5.15.151" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.1.55 Search vendor "Linux" for product "Linux Kernel" and version "6.1.55" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.1.81 Search vendor "Linux" for product "Linux Kernel" and version "6.1.81" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.5.5 Search vendor "Linux" for product "Linux Kernel" and version "6.5.5" | en |
Affected
|