oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Linux: CVE-2017-6001: Incomplete fix for CVE-2016-6786: perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race

From: Salvatore Bonaccorso <carnil () debian org>
Date: Thu, 16 Feb 2017 05:46:08 +0100
Hi

The original fix for CVE-2016-6786 ws incomplete. Upstream has
commited

https://git.kernel.org/linus/321027c1fe77f892f4ea07846aeae08cefbbb290

which is in v4.10-rc4 (and also backported to 4.9.x in v4.9.7). This
has been assigned a new CVE identifier: CVE-2017-6001 (assigned via ->
https://cveform.mitre.org/).

Commit message reads as:


commit 321027c1fe77f892f4ea07846aeae08cefbbb290
Author: Peter Zijlstra <peterz () infradead org>
Date:   Wed Jan 11 21:09:50 2017 +0100

    perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
    
    Di Shen reported a race between two concurrent sys_perf_event_open()
    calls where both try and move the same pre-existing software group
    into a hardware context.
    
    The problem is exactly that described in commit:
    
      f63a8daa5812 ("perf: Fix event->ctx locking")
    
    ... where, while we wait for a ctx->mutex acquisition, the event->ctx
    relation can have changed under us.
    
    That very same commit failed to recognise sys_perf_event_context() as an
    external access vector to the events and thereby didn't apply the
    established locking rules correctly.
    
    So while one sys_perf_event_open() call is stuck waiting on
    mutex_lock_double(), the other (which owns said locks) moves the group
    about. So by the time the former sys_perf_event_open() acquires the
    locks, the context we've acquired is stale (and possibly dead).
    
    Apply the established locking rules as per perf_event_ctx_lock_nested()
    to the mutex_lock_double() for the 'move_group' case. This obviously means
    we need to validate state after we acquire the locks.
    
    Reported-by: Di Shen (Keen Lab)
    Tested-by: John Dias <joaodias () google com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz () infradead org>
    Cc: Alexander Shishkin <alexander.shishkin () linux intel com>
    Cc: Arnaldo Carvalho de Melo <acme () kernel org>
    Cc: Arnaldo Carvalho de Melo <acme () redhat com>
    Cc: Jiri Olsa <jolsa () redhat com>
    Cc: Kees Cook <keescook () chromium org>
    Cc: Linus Torvalds <torvalds () linux-foundation org>
    Cc: Min Chong <mchong () google com>
    Cc: Peter Zijlstra <peterz () infradead org>
    Cc: Stephane Eranian <eranian () google com>
    Cc: Thomas Gleixner <tglx () linutronix de>
    Cc: Vince Weaver <vincent.weaver () maine edu>
    Fixes: f63a8daa5812 ("perf: Fix event->ctx locking")
    Link: http://lkml.kernel.org/r/20170106131444.GZ3174 () twins programming kicks-ass net
    Signed-off-by: Ingo Molnar <mingo () kernel org>


Regards,
Salvatore
Previous By Date Next
Previous By Thread Next

Current thread: