Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2024-27005

Disclosure Date: May 01, 2024
CVE-2024-27005
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

interconnect: Don’t access req_list while it’s being manipulated

The icc_lock mutex was split into separate icc_lock and icc_bw_lock
mutexes in [1] to avoid lockdep splats. However, this didn’t adequately
protect access to icc_node::req_list.

The icc_set_bw() function will eventually iterate over req_list while
only holding icc_bw_lock, but req_list can be modified while only
holding icc_lock. This causes races between icc_set_bw(), of_icc_get(),
and icc_put().

Example A:

CPU0 CPU1

icc_set_bw(path_a)

mutex_lock(&icc_bw_lock);
                                 icc_put(path_b)
                                   mutex_lock(&icc_lock);
aggregate_requests()
  hlist_for_each_entry(r, ...
                                   hlist_del(...
    <r = invalid pointer>

Example B:

CPU0 CPU1

icc_set_bw(path_a)

mutex_lock(&icc_bw_lock);
                                 path_b = of_icc_get()
                                   of_icc_get_by_index()
                                     mutex_lock(&icc_lock);
                                     path_find()
                                       path_init()
aggregate_requests()
  hlist_for_each_entry(r, ...
                                         hlist_add_head(...
    <r = invalid pointer>

Fix this by ensuring icc_bw_lock is always held before manipulating
icc_node::req_list. The additional places icc_bw_lock is held don’t
perform any memory allocations, so we should still be safe from the
original lockdep splats that motivated the separate locks.

[1] commit af42269c3523 (“interconnect: Fix locking for runpm vs reclaim”)

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Linux d0d04efa2e36
Linux not down converted
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • Linux

Products

  • Linux
Technical Analysis