Re: CVE-2024-35876: x86/mce: Make sure to grab mce_sysfs_mutex in set_bank()
From: Nikolay Borisov
Date: Thu May 23 2024 - 09:58:59 EST
On 23.05.24 г. 16:54 ч., Vegard Nossum wrote:
On 23/05/2024 12:24, Nikolay Borisov wrote:
On 19.05.24 г. 11:34 ч., Greg Kroah-Hartman wrote:
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
x86/mce: Make sure to grab mce_sysfs_mutex in set_bank()
Modifying a MCA bank's MCA_CTL bits which control which error types to
be reported is done over
/sys/devices/system/machinecheck/
├── machinecheck0
│ ├── bank0
│ ├── bank1
│ ├── bank10
│ ├── bank11
...
sysfs nodes by writing the new bit mask of events to enable.
When the write is accepted, the kernel deletes all current timers and
reinits all banks.
Doing that in parallel can lead to initializing a timer which is already
armed and in the timer wheel, i.e., in use already:
ODEBUG: init active (active state 0) object: ffff888063a28000 object
type: timer_list hint: mce_timer_fn+0x0/0x240
arch/x86/kernel/cpu/mce/core.c:2642
WARNING: CPU: 0 PID: 8120 at lib/debugobjects.c:514
debug_print_object+0x1a0/0x2a0 lib/debugobjects.c:514
Fix that by grabbing the sysfs mutex as the rest of the MCA sysfs code
does.
Reported by: Yue Sun <samsun1006219@xxxxxxxxx>
Reported by: xingwei lee <xrivendell7@xxxxxxxxx>
The Linux kernel CVE team has assigned CVE-2024-35876 to this issue.
I'd like to dispute the CVE for this issue. Those sysfs entries are
owned by root and can only be written by it. There are innumerable
ways in which root can corrupt/crash the state of the machine and I
don't see why this is anything special.
I haven't looked at the issue in detail but it sounds like this
potentially breaks lockdown (which is arguably a security feature) so
How exactly does it break lockdown ?
"requires root" to reach is not really an argument against this having a
CVE assigned.
Vegard