CVE-2024-39501: drivers: core: synchronize really_probe() and dev_uevent()

First published: Fri Jul 12 2024(Updated: )

In the Linux kernel, the following vulnerability has been resolved: drivers: core: synchronize really_probe() and dev_uevent() Synchronize the dev-&gt;driver usage in really_probe() and dev_uevent(). These can run in different threads, what can result in the following race condition for dev-&gt;driver uninitialization: Thread #1: ========== really_probe() { ... probe_failed: ... device_unbind_cleanup(dev) { ... dev-&gt;driver = NULL; // &lt;= Failed probe sets dev-&gt;driver to NULL ... } ... } Thread #2: ========== dev_uevent() { ... if (dev-&gt;driver) // If dev-&gt;driver is NULLed from really_probe() from here on, // after above check, the system crashes add_uevent_var(env, "DRIVER=%s", dev-&gt;driver-&gt;name); ... } really_probe() holds the lock, already. So nothing needs to be done there. dev_uevent() is called with lock held, often, too. But not always. What implies that we can't add any locking in dev_uevent() itself. So fix this race by adding the lock to the non-protected path. This is the path where above race is observed: dev_uevent+0x235/0x380 uevent_show+0x10c/0x1f0 &lt;= Add lock here dev_attr_show+0x3a/0xa0 sysfs_kf_seq_show+0x17c/0x250 kernfs_seq_show+0x7c/0x90 seq_read_iter+0x2d7/0x940 kernfs_fop_read_iter+0xc6/0x310 vfs_read+0x5bc/0x6b0 ksys_read+0xeb/0x1b0 __x64_sys_read+0x42/0x50 x64_sys_call+0x27ad/0x2d30 do_syscall_64+0xcd/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Similar cases are reported by syzkaller in <a href="https://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a">https://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a</a> But these are regarding the *initialization* of dev-&gt;driver dev-&gt;driver = drv; As this switches dev-&gt;driver to non-NULL these reports can be considered to be false-positives (which should be "fixed" by this commit, as well, though). The same issue was reported and tried to be fixed back in 2015 in <a href="https://lore.kernel.org/lkml/1421259054-2574-1-git-send-email-a.sangwan@samsung.com/">https://lore.kernel.org/lkml/1421259054-2574-1-git-send-email-a.sangwan@samsung.com/</a> already.

Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/weakness
• agent/title
• agent/type
• collector/nvd-api
• source/NVD
• agent/author
• agent/remedy
• agent/first-publish-date
• agent/severity
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2024-39501
• agent/software-canonical-lookup
• collector/nvd-cve
• collector/mitre-cve
• source/MITRE
• agent/trending
• collector/usn-cve
• source/Ubuntu
• collector/security-tracker-debian
• source/Debian
• agent/last-modified-date
• agent/references
• agent/source
• agent/softwarecombine
• agent/tags
• agent/description
• agent/event
• collector/ibm-support
• source/IBM
• package-manager/redhat
• package-manager/debian
• vendor/ibm
• canonical/ibm security verify governance - identity manager
• version/ibm security verify governance - identity manager/isvg 10.0.2
• canonical/ibm security verify governance, identity manager software stack
• version/ibm security verify governance, identity manager software stack/isvg 10.0.2
• canonical/ibm security verify governance, identity manager virtual appliance
• version/ibm security verify governance, identity manager virtual appliance/isvg 10.0.2
• canonical/ibm security verify governance identity manager container
• version/ibm security verify governance identity manager container/isvg 10.0.2