lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat,  6 Jul 2024 11:25:29 +0200
From: Greg Kroah-Hartman <>
Cc: Greg Kroah-Hartman <>
Subject: CVE-2024-39486: drm/drm_file: Fix pid refcounting race


In the Linux kernel, the following vulnerability has been resolved:

drm/drm_file: Fix pid refcounting race

filp->pid is supposed to be a refcounted pointer; however, before this
patch, drm_file_update_pid() only increments the refcount of a struct
pid after storing a pointer to it in filp->pid and dropping the
dev->filelist_mutex, making the following race possible:

process A               process B
=========               =========
                        begin drm_file_update_pid
                        rcu_replace_pointer(filp->pid, <pid B>, 1)
begin drm_file_update_pid
rcu_replace_pointer(filp->pid, <pid A>, 1)
get_pid(<pid A>)
put_pid(<pid B>)   *** pid B reaches refcount 0 and is freed here ***
                        get_pid(<pid B>)   *** UAF ***
                        put_pid(<pid A>)

As far as I know, this race can only occur with CONFIG_PREEMPT_RCU=y
because it requires RCU to detect a quiescent state in code that is not
explicitly calling into the scheduler.

This race leads to use-after-free of a "struct pid".
It is probably somewhat hard to hit because process A has to pass
through a synchronize_rcu() operation while process B is between
mutex_unlock() and get_pid().

Fix it by ensuring that by the time a pointer to the current task's pid
is stored in the file, an extra reference to the pid has been taken.

This fix also removes the condition for synchronize_rcu(); I think
that optimization is unnecessary complexity, since in that case we
would usually have bailed out on the lockless check above.

The Linux kernel CVE team has assigned CVE-2024-39486 to this issue.

Affected and fixed versions

	Issue introduced in 6.6.9 with commit 031ddd280089 and fixed in 6.6.37 with commit 16682588ead4
	Issue introduced in 6.7 with commit 1c7a387ffef8 and fixed in 6.9.8 with commit 0acce2a5c619
	Issue introduced in 6.7 with commit 1c7a387ffef8 and fixed in 6.10-rc6 with commit 4f2a129b33a2

Please see for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
will be updated if fixes are backported, please check that for the most
up to date information about this issue.

Affected files

The file(s) affected by this issue are:


The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:

Powered by blists - more mailing lists