oss-sec mailing list archives
Linux: CVE-2017-6001: Incomplete fix for CVE-2016-6786: perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
From: Salvatore Bonaccorso <carnil () debian org>
Date: Thu, 16 Feb 2017 05:46:08 +0100
Hi The original fix for CVE-2016-6786 ws incomplete. Upstream has commited https://git.kernel.org/linus/321027c1fe77f892f4ea07846aeae08cefbbb290 which is in v4.10-rc4 (and also backported to 4.9.x in v4.9.7). This has been assigned a new CVE identifier: CVE-2017-6001 (assigned via -> https://cveform.mitre.org/). Commit message reads as:
commit 321027c1fe77f892f4ea07846aeae08cefbbb290 Author: Peter Zijlstra <peterz () infradead org> Date: Wed Jan 11 21:09:50 2017 +0100 perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race Di Shen reported a race between two concurrent sys_perf_event_open() calls where both try and move the same pre-existing software group into a hardware context. The problem is exactly that described in commit: f63a8daa5812 ("perf: Fix event->ctx locking") ... where, while we wait for a ctx->mutex acquisition, the event->ctx relation can have changed under us. That very same commit failed to recognise sys_perf_event_context() as an external access vector to the events and thereby didn't apply the established locking rules correctly. So while one sys_perf_event_open() call is stuck waiting on mutex_lock_double(), the other (which owns said locks) moves the group about. So by the time the former sys_perf_event_open() acquires the locks, the context we've acquired is stale (and possibly dead). Apply the established locking rules as per perf_event_ctx_lock_nested() to the mutex_lock_double() for the 'move_group' case. This obviously means we need to validate state after we acquire the locks. Reported-by: Di Shen (Keen Lab) Tested-by: John Dias <joaodias () google com> Signed-off-by: Peter Zijlstra (Intel) <peterz () infradead org> Cc: Alexander Shishkin <alexander.shishkin () linux intel com> Cc: Arnaldo Carvalho de Melo <acme () kernel org> Cc: Arnaldo Carvalho de Melo <acme () redhat com> Cc: Jiri Olsa <jolsa () redhat com> Cc: Kees Cook <keescook () chromium org> Cc: Linus Torvalds <torvalds () linux-foundation org> Cc: Min Chong <mchong () google com> Cc: Peter Zijlstra <peterz () infradead org> Cc: Stephane Eranian <eranian () google com> Cc: Thomas Gleixner <tglx () linutronix de> Cc: Vince Weaver <vincent.weaver () maine edu> Fixes: f63a8daa5812 ("perf: Fix event->ctx locking") Link: http://lkml.kernel.org/r/20170106131444.GZ3174 () twins programming kicks-ass net Signed-off-by: Ingo Molnar <mingo () kernel org>
Regards, Salvatore
Current thread:
- Linux: CVE-2017-6001: Incomplete fix for CVE-2016-6786: perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race Salvatore Bonaccorso (Feb 15)