[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <01e1183c-46c3-41ca-8b47-d008747c164a@suse.com>
Date: Thu, 23 May 2024 16:58:15 +0300
From: Nikolay Borisov <nik.borisov@...e.com>
To: Vegard Nossum <vegard.nossum@...cle.com>, cve@...nel.org,
linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
Subject: Re: CVE-2024-35876: x86/mce: Make sure to grab mce_sysfs_mutex in
set_bank()
On 23.05.24 г. 16:54 ч., Vegard Nossum wrote:
>
> On 23/05/2024 12:24, Nikolay Borisov wrote:
>> On 19.05.24 г. 11:34 ч., Greg Kroah-Hartman wrote:
>>> Description
>>> ===========
>>>
>>> In the Linux kernel, the following vulnerability has been resolved:
>>>
>>> x86/mce: Make sure to grab mce_sysfs_mutex in set_bank()
>>>
>>> Modifying a MCA bank's MCA_CTL bits which control which error types to
>>> be reported is done over
>>>
>>> /sys/devices/system/machinecheck/
>>> ├── machinecheck0
>>> │ ├── bank0
>>> │ ├── bank1
>>> │ ├── bank10
>>> │ ├── bank11
>>> ...
>>>
>>> sysfs nodes by writing the new bit mask of events to enable.
>>>
>>> When the write is accepted, the kernel deletes all current timers and
>>> reinits all banks.
>>>
>>> Doing that in parallel can lead to initializing a timer which is already
>>> armed and in the timer wheel, i.e., in use already:
>>>
>>> ODEBUG: init active (active state 0) object: ffff888063a28000 object
>>> type: timer_list hint: mce_timer_fn+0x0/0x240
>>> arch/x86/kernel/cpu/mce/core.c:2642
>>> WARNING: CPU: 0 PID: 8120 at lib/debugobjects.c:514
>>> debug_print_object+0x1a0/0x2a0 lib/debugobjects.c:514
>>>
>>> Fix that by grabbing the sysfs mutex as the rest of the MCA sysfs code
>>> does.
>>>
>>> Reported by: Yue Sun <samsun1006219@...il.com>
>>> Reported by: xingwei lee <xrivendell7@...il.com>
>>>
>>> The Linux kernel CVE team has assigned CVE-2024-35876 to this issue.
>>
>>
>> I'd like to dispute the CVE for this issue. Those sysfs entries are
>> owned by root and can only be written by it. There are innumerable
>> ways in which root can corrupt/crash the state of the machine and I
>> don't see why this is anything special.
>
> I haven't looked at the issue in detail but it sounds like this
> potentially breaks lockdown (which is arguably a security feature) so
How exactly does it break lockdown ?
> "requires root" to reach is not really an argument against this having a
> CVE assigned.
>
>
> Vegard
Powered by blists - more mailing lists