Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveLinuxCVE-2024-44952
HistorySep 04, 2024 - 7:15 p.m.

CVE-2024-44952

2024-09-0419:15:30
CWE-667
Linux
web.nvd.nist.gov
29
vulnerability
resolution
uevent_show()
driver detach race
device attribute
deadlocks
lockdep
circular locking dependency
syzbot report
cve

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

7.3

Confidence

Low

EPSS

0

Percentile

5.1%

JSON

In the Linux kernel, the following vulnerability has been resolved:

driver core: Fix uevent_show() vs driver detach race

uevent_show() wants to de-reference dev->driver->name. There is no clean
way for a device attribute to de-reference dev->driver unless that
attribute is defined via (struct device_driver).dev_groups. Instead, the
anti-pattern of taking the device_lock() in the attribute handler risks
deadlocks with code paths that remove device attributes while holding
the lock.

This deadlock is typically invisible to lockdep given the device_lock()
is marked lockdep_set_novalidate_class(), but some subsystems allocate a
local lockdep key for @dev->mutex to reveal reports of the form:

======================================================
WARNING: possible circular locking dependency detected
6.10.0-rc7+ #275 Tainted: G OE N

modprobe/2374 is trying to acquire lock:
ffff8c2270070de0 (kn->active#6){++++}-{0:0}, at: __kernfs_remove+0xde/0x220

but task is already holding lock:
ffff8c22016e88f8 (&cxl_root_key){+.+.}-{3:3}, at: device_release_driver_internal+0x39/0x210

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (&cxl_root_key){+.+.}-{3:3}:
__mutex_lock+0x99/0xc30
uevent_show+0xac/0x130
dev_attr_show+0x18/0x40
sysfs_kf_seq_show+0xac/0xf0
seq_read_iter+0x110/0x450
vfs_read+0x25b/0x340
ksys_read+0x67/0xf0
do_syscall_64+0x75/0x190
entry_SYSCALL_64_after_hwframe+0x76/0x7e

-> #0 (kn->active#6){++++}-{0:0}:
__lock_acquire+0x121a/0x1fa0
lock_acquire+0xd6/0x2e0
kernfs_drain+0x1e9/0x200
__kernfs_remove+0xde/0x220
kernfs_remove_by_name_ns+0x5e/0xa0
device_del+0x168/0x410
device_unregister+0x13/0x60
devres_release_all+0xb8/0x110
device_unbind_cleanup+0xe/0x70
device_release_driver_internal+0x1c7/0x210
driver_detach+0x47/0x90
bus_remove_driver+0x6c/0xf0
cxl_acpi_exit+0xc/0x11 [cxl_acpi]
__do_sys_delete_module.isra.0+0x181/0x260
do_syscall_64+0x75/0x190
entry_SYSCALL_64_after_hwframe+0x76/0x7e

The observation though is that driver objects are typically much longer
lived than device objects. It is reasonable to perform lockless
de-reference of a @driver pointer even if it is racing detach from a
device. Given the infrequency of driver unregistration, use
synchronize_rcu() in module_remove_driver() to close any potential
races. It is potentially overkill to suffer synchronize_rcu() just to
handle the rare module removal racing uevent_show() event.

Thanks to Tetsuo Handa for the debug analysis of the syzbot report [1].

Affected configurations

Nvd
Vulners
Node
linuxlinux_kernelRange4.19.3174.19.320
OR
linuxlinux_kernelRange5.4.2795.4.282
OR
linuxlinux_kernelRange5.10.2215.10.224
OR
linuxlinux_kernelRange5.15.1625.15.165
OR
linuxlinux_kernelRange6.1.956.1.105
OR
linuxlinux_kernelRange6.6.356.6.46
OR
linuxlinux_kernelRange6.106.10.5
OR
linuxlinux_kernelMatch6.11rc1
OR
linuxlinux_kernelMatch6.11rc2
VendorProductVersionCPE
linuxlinux_kernel*cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linuxlinux_kernel6.11cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
linuxlinux_kernel6.11cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/base/core.c",
      "drivers/base/module.c"
    ],
    "versions": [
      {
        "version": "bb3641a58317",
        "lessThan": "49ea4e0d8626",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "13d25e82b6d0",
        "lessThan": "dd98c9630b7e",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "760603e30bf1",
        "lessThan": "f098e8fc7227",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "ec772ed7cb21",
        "lessThan": "9c23fc327d6e",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "08891eeaa97c",
        "lessThan": "4a7c2a838752",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "a42b0060d6ff",
        "lessThan": "4d035c743c3e",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c0a40097f0bc",
        "lessThan": "cd490a247ddf",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c0a40097f0bc",
        "lessThan": "15fffc6a5624",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/base/core.c",
      "drivers/base/module.c"
    ],
    "versions": [
      {
        "version": "6.10",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "6.10",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.19.320",
        "lessThanOrEqual": "4.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.282",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.224",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.165",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.105",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.46",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.10.5",
        "lessThanOrEqual": "6.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.11",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]

Related

cvelist 1
vulnrichment 1
nvd 1
debiancve 1
ubuntucve 1
redhatcve 1
osv 1
cvelist
cvelist
CVE-2024-44952 driver core: Fix uevent_show() vs driver detach race
2024-09-04 18:35:52
vulnrichment
vulnrichment
CVE-2024-44952 driver core: Fix uevent_show() vs driver detach race
2024-09-04 18:35:52
nvd
nvd
CVE-2024-44952
2024-09-04 19:15:30
debiancve
debiancve
CVE-2024-44952
2024-09-04 19:15:30
ubuntucve
ubuntucve
CVE-2024-44952
2024-09-05 00:00:00
redhatcve
redhatcve
CVE-2024-44952
2024-09-04 20:45:12
osv
osv
CVE-2024-44952
2024-09-04 19:15:30

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

7.3

Confidence

Low

EPSS

0

Percentile

5.1%

JSON
Related for CVE-2024-44952
cvelist1vulnrichment1nvd1debiancve1ubuntucve1redhatcve1osv1