CVE-2024-39501

2024-07-1213:15:12

Linux

web.nvd.nist.gov

linux kernel

vulnerability

drivers core

synchronization

race condition

dev->driver

lock

syzkaller

AI Score

6.5

Confidence

High

EPSS

Percentile

13.4%

JSON

In the Linux kernel, the following vulnerability has been resolved:

drivers: core: synchronize really_probe() and dev_uevent()

Synchronize the dev->driver usage in really_probe() and dev_uevent().
These can run in different threads, what can result in the following
race condition for dev->driver uninitialization:

Thread #1:

really_probe() {
…
probe_failed:
…
device_unbind_cleanup(dev) {
…
dev->driver = NULL; // <= Failed probe sets dev->driver to NULL
…
}
…
}

Thread #2:

dev_uevent() {
…
if (dev->driver)
// If dev->driver is NULLed from really_probe() from here on,
// after above check, the system crashes
add_uevent_var(env, “DRIVER=%s”, dev->driver->name);
…
}

really_probe() holds the lock, already. So nothing needs to be done
there. dev_uevent() is called with lock held, often, too. But not
always. What implies that we can’t add any locking in dev_uevent()
itself. So fix this race by adding the lock to the non-protected
path. This is the path where above race is observed:

dev_uevent+0x235/0x380
uevent_show+0x10c/0x1f0 <= Add lock here
dev_attr_show+0x3a/0xa0
sysfs_kf_seq_show+0x17c/0x250
kernfs_seq_show+0x7c/0x90
seq_read_iter+0x2d7/0x940
kernfs_fop_read_iter+0xc6/0x310
vfs_read+0x5bc/0x6b0
ksys_read+0xeb/0x1b0
__x64_sys_read+0x42/0x50
x64_sys_call+0x27ad/0x2d30
do_syscall_64+0xcd/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Similar cases are reported by syzkaller in

https://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a

But these are regarding the initialization of dev->driver

dev->driver = drv;

As this switches dev->driver to non-NULL these reports can be considered
to be false-positives (which should be “fixed” by this commit, as well,
though).

The same issue was reported and tried to be fixed back in 2015 in

https://lore.kernel.org/lkml/[email protected]/

already.

Affected configurations

Vulners

Node

linuxlinux_kernelRange2.6.21–4.19.317

linuxlinux_kernelRange4.20.0–5.4.279

linuxlinux_kernelRange5.5.0–5.10.221

linuxlinux_kernelRange5.11.0–5.15.162

linuxlinux_kernelRange5.16.0–6.1.95

linuxlinux_kernelRange6.2.0–6.6.35

linuxlinux_kernelRange6.7.0–6.9.6

linuxlinux_kernelRange6.10.0≥

VendorProductVersionCPE
linuxlinux_kernel*cpe:2.3:a:linux:linux_kernel:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
linux	linux_kernel	*	cpe:2.3:a:linux:linux_kernel::::::::

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/base/core.c"
    ],
    "versions": [
      {
        "version": "239378f16aa1",
        "lessThan": "bb3641a58317",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "239378f16aa1",
        "lessThan": "13d25e82b6d0",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "239378f16aa1",
        "lessThan": "760603e30bf1",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "239378f16aa1",
        "lessThan": "ec772ed7cb21",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "239378f16aa1",
        "lessThan": "08891eeaa97c",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "239378f16aa1",
        "lessThan": "a42b0060d6ff",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "239378f16aa1",
        "lessThan": "95d03d369ea6",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "239378f16aa1",
        "lessThan": "c0a40097f0bc",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/base/core.c"
    ],
    "versions": [
      {
        "version": "2.6.21",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "2.6.21",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.19.317",
        "lessThanOrEqual": "4.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.279",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.221",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.162",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.95",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.35",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9.6",
        "lessThanOrEqual": "6.9.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.10",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]