| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 23 May 2024 16:58:15 +0300 From: Nikolay Borisov <nik.borisov@...e.com> To: Vegard Nossum <vegard.nossum@...cle.com>, cve@...nel.org, linux-kernel@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com> Subject: Re: CVE-2024-35876: x86/mce: Make sure to grab mce_sysfs_mutex in set_bank() On 23.05.24 г. 16:54 ч., Vegard Nossum wrote: > > On 23/05/2024 12:24, Nikolay Borisov wrote: >> On 19.05.24 г. 11:34 ч., Greg Kroah-Hartman wrote: >>> Description >>> =========== >>> >>> In the Linux kernel, the following vulnerability has been resolved: >>> >>> x86/mce: Make sure to grab mce_sysfs_mutex in set_bank() >>> >>> Modifying a MCA bank's MCA_CTL bits which control which error types to >>> be reported is done over >>> >>> /sys/devices/system/machinecheck/ >>> ├── machinecheck0 >>> │ ├── bank0 >>> │ ├── bank1 >>> │ ├── bank10 >>> │ ├── bank11 >>> ... >>> >>> sysfs nodes by writing the new bit mask of events to enable. >>> >>> When the write is accepted, the kernel deletes all current timers and >>> reinits all banks. >>> >>> Doing that in parallel can lead to initializing a timer which is already >>> armed and in the timer wheel, i.e., in use already: >>> >>> ODEBUG: init active (active state 0) object: ffff888063a28000 object >>> type: timer_list hint: mce_timer_fn+0x0/0x240 >>> arch/x86/kernel/cpu/mce/core.c:2642 >>> WARNING: CPU: 0 PID: 8120 at lib/debugobjects.c:514 >>> debug_print_object+0x1a0/0x2a0 lib/debugobjects.c:514 >>> >>> Fix that by grabbing the sysfs mutex as the rest of the MCA sysfs code >>> does. >>> >>> Reported by: Yue Sun <samsun1006219@...il.com> >>> Reported by: xingwei lee <xrivendell7@...il.com> >>> >>> The Linux kernel CVE team has assigned CVE-2024-35876 to this issue. >> >> >> I'd like to dispute the CVE for this issue. Those sysfs entries are >> owned by root and can only be written by it. There are innumerable >> ways in which root can corrupt/crash the state of the machine and I >> don't see why this is anything special. > > I haven't looked at the issue in detail but it sounds like this > potentially breaks lockdown (which is arguably a security feature) so How exactly does it break lockdown ? > "requires root" to reach is not really an argument against this having a > CVE assigned. > > > Vegard
Powered by blists - more mailing lists