cve-2024-38601
Vulnerability from cvelistv5
Published
2024-06-19 13:48
Modified
2024-12-19 09:05
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix a race between readers and resize checks The reader code in rb_get_reader_page() swaps a new reader page into the ring buffer by doing cmpxchg on old->list.prev->next to point it to the new page. Following that, if the operation is successful, old->list.next->prev gets updated too. This means the underlying doubly-linked list is temporarily inconsistent, page->prev->next or page->next->prev might not be equal back to page for some page in the ring buffer. The resize operation in ring_buffer_resize() can be invoked in parallel. It calls rb_check_pages() which can detect the described inconsistency and stop further tracing: [ 190.271762] ------------[ cut here ]------------ [ 190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0 [ 190.271789] Modules linked in: [...] [ 190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1 [ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G E 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f [ 190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014 [ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0 [ 190.272023] Code: [...] [ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206 [ 190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80 [ 190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700 [ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000 [ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720 [ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000 [ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000 [ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0 [ 190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 190.272077] Call Trace: [ 190.272098] <TASK> [ 190.272189] ring_buffer_resize+0x2ab/0x460 [ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0 [ 190.272206] tracing_resize_ring_buffer+0x65/0x90 [ 190.272216] tracing_entries_write+0x74/0xc0 [ 190.272225] vfs_write+0xf5/0x420 [ 190.272248] ksys_write+0x67/0xe0 [ 190.272256] do_syscall_64+0x82/0x170 [ 190.272363] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 190.272373] RIP: 0033:0x7f1bd657d263 [ 190.272381] Code: [...] [ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263 [ 190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001 [ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000 [ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500 [ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002 [ 190.272412] </TASK> [ 190.272414] ---[ end trace 0000000000000000 ]--- Note that ring_buffer_resize() calls rb_check_pages() only if the parent trace_buffer has recording disabled. Recent commit d78ab792705c ("tracing: Stop current tracer when resizing buffer") causes that it is now always the case which makes it more likely to experience this issue. The window to hit this race is nonetheless very small. To help reproducing it, one can add a delay loop in rb_get_reader_page(): ret = rb_head_page_replace(reader, cpu_buffer->reader_page); if (!ret) goto spin; for (unsigned i = 0; i < 1U << 26; i++) /* inserted delay loop */ __asm__ __volatile__ ("" : : : "memory"); rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list; .. ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1e160196042cac946798ac192a0bc3398f1aa66b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/54c64967ba5f8658ae7da76005024ebd3d9d8f6e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/595363182f28786d641666a09e674b852c83b4bb
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5ef9e330406d3fb4f4b2c8bca2c6b8a93bae32d1
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/79b52013429a42b8efdb0cda8bb0041386abab87
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/af3274905b3143ea23142bbf77bd9b610c54e533
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b50932ea673b5a089a4bb570a8a868d95c72854e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c2274b908db05529980ec056359fae916939fdaa
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c68b7a442ee61d04ca58b2b5cb5ea7cb8230f84a
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/1e160196042cac946798ac192a0bc3398f1aa66b
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/54c64967ba5f8658ae7da76005024ebd3d9d8f6e
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/595363182f28786d641666a09e674b852c83b4bb
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/5ef9e330406d3fb4f4b2c8bca2c6b8a93bae32d1
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/79b52013429a42b8efdb0cda8bb0041386abab87
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/af3274905b3143ea23142bbf77bd9b610c54e533
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/b50932ea673b5a089a4bb570a8a868d95c72854e
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/c2274b908db05529980ec056359fae916939fdaa
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/c68b7a442ee61d04ca58b2b5cb5ea7cb8230f84a
Impacted products
Vendor Product Version
Linux Linux Version: 3.5
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:12:25.979Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b50932ea673b5a089a4bb570a8a868d95c72854e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c68b7a442ee61d04ca58b2b5cb5ea7cb8230f84a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/1e160196042cac946798ac192a0bc3398f1aa66b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/595363182f28786d641666a09e674b852c83b4bb"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/54c64967ba5f8658ae7da76005024ebd3d9d8f6e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/af3274905b3143ea23142bbf77bd9b610c54e533"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5ef9e330406d3fb4f4b2c8bca2c6b8a93bae32d1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/79b52013429a42b8efdb0cda8bb0041386abab87"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c2274b908db05529980ec056359fae916939fdaa"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-38601",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T17:13:21.471342Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:34:54.075Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/ring_buffer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b50932ea673b5a089a4bb570a8a868d95c72854e",
              "status": "affected",
              "version": "659f451ff21315ebfeeb46b9adccee8ce1b52c25",
              "versionType": "git"
            },
            {
              "lessThan": "c68b7a442ee61d04ca58b2b5cb5ea7cb8230f84a",
              "status": "affected",
              "version": "659f451ff21315ebfeeb46b9adccee8ce1b52c25",
              "versionType": "git"
            },
            {
              "lessThan": "1e160196042cac946798ac192a0bc3398f1aa66b",
              "status": "affected",
              "version": "659f451ff21315ebfeeb46b9adccee8ce1b52c25",
              "versionType": "git"
            },
            {
              "lessThan": "595363182f28786d641666a09e674b852c83b4bb",
              "status": "affected",
              "version": "659f451ff21315ebfeeb46b9adccee8ce1b52c25",
              "versionType": "git"
            },
            {
              "lessThan": "54c64967ba5f8658ae7da76005024ebd3d9d8f6e",
              "status": "affected",
              "version": "659f451ff21315ebfeeb46b9adccee8ce1b52c25",
              "versionType": "git"
            },
            {
              "lessThan": "af3274905b3143ea23142bbf77bd9b610c54e533",
              "status": "affected",
              "version": "659f451ff21315ebfeeb46b9adccee8ce1b52c25",
              "versionType": "git"
            },
            {
              "lessThan": "5ef9e330406d3fb4f4b2c8bca2c6b8a93bae32d1",
              "status": "affected",
              "version": "659f451ff21315ebfeeb46b9adccee8ce1b52c25",
              "versionType": "git"
            },
            {
              "lessThan": "79b52013429a42b8efdb0cda8bb0041386abab87",
              "status": "affected",
              "version": "659f451ff21315ebfeeb46b9adccee8ce1b52c25",
              "versionType": "git"
            },
            {
              "lessThan": "c2274b908db05529980ec056359fae916939fdaa",
              "status": "affected",
              "version": "659f451ff21315ebfeeb46b9adccee8ce1b52c25",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/ring_buffer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.5"
            },
            {
              "lessThan": "3.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.316",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.278",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.219",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.161",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.9.*",
              "status": "unaffected",
              "version": "6.9.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.10",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Fix a race between readers and resize checks\n\nThe reader code in rb_get_reader_page() swaps a new reader page into the\nring buffer by doing cmpxchg on old-\u003elist.prev-\u003enext to point it to the\nnew page. Following that, if the operation is successful,\nold-\u003elist.next-\u003eprev gets updated too. This means the underlying\ndoubly-linked list is temporarily inconsistent, page-\u003eprev-\u003enext or\npage-\u003enext-\u003eprev might not be equal back to page for some page in the\nring buffer.\n\nThe resize operation in ring_buffer_resize() can be invoked in parallel.\nIt calls rb_check_pages() which can detect the described inconsistency\nand stop further tracing:\n\n[  190.271762] ------------[ cut here ]------------\n[  190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0\n[  190.271789] Modules linked in: [...]\n[  190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1\n[  190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G            E      6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f\n[  190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014\n[  190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0\n[  190.272023] Code: [...]\n[  190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206\n[  190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80\n[  190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700\n[  190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000\n[  190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720\n[  190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000\n[  190.272053] FS:  00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000\n[  190.272057] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0\n[  190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  190.272077] Call Trace:\n[  190.272098]  \u003cTASK\u003e\n[  190.272189]  ring_buffer_resize+0x2ab/0x460\n[  190.272199]  __tracing_resize_ring_buffer.part.0+0x23/0xa0\n[  190.272206]  tracing_resize_ring_buffer+0x65/0x90\n[  190.272216]  tracing_entries_write+0x74/0xc0\n[  190.272225]  vfs_write+0xf5/0x420\n[  190.272248]  ksys_write+0x67/0xe0\n[  190.272256]  do_syscall_64+0x82/0x170\n[  190.272363]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  190.272373] RIP: 0033:0x7f1bd657d263\n[  190.272381] Code: [...]\n[  190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[  190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263\n[  190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001\n[  190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000\n[  190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500\n[  190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002\n[  190.272412]  \u003c/TASK\u003e\n[  190.272414] ---[ end trace 0000000000000000 ]---\n\nNote that ring_buffer_resize() calls rb_check_pages() only if the parent\ntrace_buffer has recording disabled. Recent commit d78ab792705c\n(\"tracing: Stop current tracer when resizing buffer\") causes that it is\nnow always the case which makes it more likely to experience this issue.\n\nThe window to hit this race is nonetheless very small. To help\nreproducing it, one can add a delay loop in rb_get_reader_page():\n\n ret = rb_head_page_replace(reader, cpu_buffer-\u003ereader_page);\n if (!ret)\n \tgoto spin;\n for (unsigned i = 0; i \u003c 1U \u003c\u003c 26; i++)  /* inserted delay loop */\n \t__asm__ __volatile__ (\"\" : : : \"memory\");\n rb_list_head(reader-\u003elist.next)-\u003eprev = \u0026cpu_buffer-\u003ereader_page-\u003elist;\n\n.. \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T09:05:24.562Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b50932ea673b5a089a4bb570a8a868d95c72854e"
        },
        {
          "url": "https://git.kernel.org/stable/c/c68b7a442ee61d04ca58b2b5cb5ea7cb8230f84a"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e160196042cac946798ac192a0bc3398f1aa66b"
        },
        {
          "url": "https://git.kernel.org/stable/c/595363182f28786d641666a09e674b852c83b4bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/54c64967ba5f8658ae7da76005024ebd3d9d8f6e"
        },
        {
          "url": "https://git.kernel.org/stable/c/af3274905b3143ea23142bbf77bd9b610c54e533"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ef9e330406d3fb4f4b2c8bca2c6b8a93bae32d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/79b52013429a42b8efdb0cda8bb0041386abab87"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2274b908db05529980ec056359fae916939fdaa"
        }
      ],
      "title": "ring-buffer: Fix a race between readers and resize checks",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-38601",
    "datePublished": "2024-06-19T13:48:13.097Z",
    "dateReserved": "2024-06-18T19:36:34.933Z",
    "dateUpdated": "2024-12-19T09:05:24.562Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-38601\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-06-19T14:15:20.087\",\"lastModified\":\"2024-11-21T09:26:27.407\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nring-buffer: Fix a race between readers and resize checks\\n\\nThe reader code in rb_get_reader_page() swaps a new reader page into the\\nring buffer by doing cmpxchg on old-\u003elist.prev-\u003enext to point it to the\\nnew page. Following that, if the operation is successful,\\nold-\u003elist.next-\u003eprev gets updated too. This means the underlying\\ndoubly-linked list is temporarily inconsistent, page-\u003eprev-\u003enext or\\npage-\u003enext-\u003eprev might not be equal back to page for some page in the\\nring buffer.\\n\\nThe resize operation in ring_buffer_resize() can be invoked in parallel.\\nIt calls rb_check_pages() which can detect the described inconsistency\\nand stop further tracing:\\n\\n[  190.271762] ------------[ cut here ]------------\\n[  190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0\\n[  190.271789] Modules linked in: [...]\\n[  190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1\\n[  190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G            E      6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f\\n[  190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014\\n[  190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0\\n[  190.272023] Code: [...]\\n[  190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206\\n[  190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80\\n[  190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700\\n[  190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000\\n[  190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720\\n[  190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000\\n[  190.272053] FS:  00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000\\n[  190.272057] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[  190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0\\n[  190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[  190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[  190.272077] Call Trace:\\n[  190.272098]  \u003cTASK\u003e\\n[  190.272189]  ring_buffer_resize+0x2ab/0x460\\n[  190.272199]  __tracing_resize_ring_buffer.part.0+0x23/0xa0\\n[  190.272206]  tracing_resize_ring_buffer+0x65/0x90\\n[  190.272216]  tracing_entries_write+0x74/0xc0\\n[  190.272225]  vfs_write+0xf5/0x420\\n[  190.272248]  ksys_write+0x67/0xe0\\n[  190.272256]  do_syscall_64+0x82/0x170\\n[  190.272363]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n[  190.272373] RIP: 0033:0x7f1bd657d263\\n[  190.272381] Code: [...]\\n[  190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\\n[  190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263\\n[  190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001\\n[  190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000\\n[  190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500\\n[  190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002\\n[  190.272412]  \u003c/TASK\u003e\\n[  190.272414] ---[ end trace 0000000000000000 ]---\\n\\nNote that ring_buffer_resize() calls rb_check_pages() only if the parent\\ntrace_buffer has recording disabled. Recent commit d78ab792705c\\n(\\\"tracing: Stop current tracer when resizing buffer\\\") causes that it is\\nnow always the case which makes it more likely to experience this issue.\\n\\nThe window to hit this race is nonetheless very small. To help\\nreproducing it, one can add a delay loop in rb_get_reader_page():\\n\\n ret = rb_head_page_replace(reader, cpu_buffer-\u003ereader_page);\\n if (!ret)\\n \\tgoto spin;\\n for (unsigned i = 0; i \u003c 1U \u003c\u003c 26; i++)  /* inserted delay loop */\\n \\t__asm__ __volatile__ (\\\"\\\" : : : \\\"memory\\\");\\n rb_list_head(reader-\u003elist.next)-\u003eprev = \u0026cpu_buffer-\u003ereader_page-\u003elist;\\n\\n.. \\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ring-buffer: corrige una ejecuci\u00f3n entre lectores y cambia el tama\u00f1o de las comprobaciones. El c\u00f3digo del lector en rb_get_reader_page() intercambia una nueva p\u00e1gina del lector en el b\u00fafer circular haciendo cmpxchg en old-\u0026gt;list.prev -\u0026gt;siguiente para apuntar a la nueva p\u00e1gina. Despu\u00e9s de eso, si la operaci\u00f3n es exitosa, old-\u0026gt;list.next-\u0026gt;prev tambi\u00e9n se actualiza. Esto significa que la lista doblemente enlazada subyacente es temporalmente inconsistente, p\u00e1gina-\u0026gt;anterior-\u0026gt;siguiente o p\u00e1gina-\u0026gt;siguiente-\u0026gt;anterior podr\u00eda no ser igual a la p\u00e1gina para alguna p\u00e1gina en el b\u00fafer circular. La operaci\u00f3n de cambio de tama\u00f1o en ring_buffer_resize() se puede invocar en paralelo. Llama a rb_check_pages(), que puede detectar la inconsistencia descrita y detener el seguimiento: [190.271762] ------------[ cortar aqu\u00ed ]------------ [ 190.271771] ADVERTENCIA: CPU: 1 PID: 6186 en kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0 [190.271789] M\u00f3dulos vinculados en: [...] [190.271991] M\u00f3dulos contaminados descargados: intel_uncore_frequency(E) :1 skx_edac(E):1 [ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: cargado Contaminado: GE 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f [ 190.272011] Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 01/04/2014 [ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0 [ 190.272023] C\u00f3digo: [.. .] [ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206 [ 190.272034] RAX: ffff8eba04b6cb80 RBX: 00000000000000007 RCX: ffff8eba01f13d80 [ 19 0.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700 [ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 00000000 [ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720 [ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000 [ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:000000000000000000 [ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0 [ 190.272070] DR0: 000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 190.272073] DR3: 0000000000000000 DR6: 00000000ffe0ff0 DR7: 0000000000000400 [ 190 .272077] Seguimiento de llamadas: [190.272098 ]  [ 190.272189] ring_buffer_resize+0x2ab/0x460 [ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0 [ 190.272206] tracing_resize_ring_buffer+0x65/0x90 [ 190.272216] _entries_write+0x74/0xc0 [ 190.272225] vfs_write+0xf5/0x420 [ 190.272248 ] ksys_write+0x67/0xe0 [ 190.272256] do_syscall_64+0x82/0x170 [ 190.272363] Entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 190.272373] RIP: 0033:0x7f1bd657d26 3 [ 190.272381] C\u00f3digo: [...] [ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263 [ 190.272395] RDX: 0000000 000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001 [ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000 [ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12 : 00007f1bd6662500 [ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 00000000000000002 [ 190.272412]  [ 4] ---[ end trace 0000000000000000 ]--- Tenga en cuenta que ring_buffer_resize() llama a rb_check_pages() solo si el trace_buffer principal tiene grabaci\u00f3n desactivada. El reciente commit d78ab792705c (\\\"rastreo: detener el rastreador actual al cambiar el tama\u00f1o del b\u00fafer\\\") hace que ahora sea siempre el caso, lo que hace que sea m\u00e1s probable experimentar este problema. No obstante, la ventana para llegar a esta ejecuci\u00f3n es muy peque\u00f1a. Para ayudar a reproducirlo, se puede agregar un bucle de retardo en rb_get_reader_page(): ret = rb_head_page_replace(reader, cpu_buffer-\u0026gt;reader_page); if (!ret) ir a girar; for (unsigned i = 0; i \u0026lt; 1U \u0026lt;\u0026lt; 26; i++) /* bucle de retardo insertado ---truncado---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1e160196042cac946798ac192a0bc3398f1aa66b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/54c64967ba5f8658ae7da76005024ebd3d9d8f6e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/595363182f28786d641666a09e674b852c83b4bb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5ef9e330406d3fb4f4b2c8bca2c6b8a93bae32d1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/79b52013429a42b8efdb0cda8bb0041386abab87\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/af3274905b3143ea23142bbf77bd9b610c54e533\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b50932ea673b5a089a4bb570a8a868d95c72854e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c2274b908db05529980ec056359fae916939fdaa\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c68b7a442ee61d04ca58b2b5cb5ea7cb8230f84a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1e160196042cac946798ac192a0bc3398f1aa66b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/54c64967ba5f8658ae7da76005024ebd3d9d8f6e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/595363182f28786d641666a09e674b852c83b4bb\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/5ef9e330406d3fb4f4b2c8bca2c6b8a93bae32d1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/79b52013429a42b8efdb0cda8bb0041386abab87\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/af3274905b3143ea23142bbf77bd9b610c54e533\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/b50932ea673b5a089a4bb570a8a868d95c72854e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/c2274b908db05529980ec056359fae916939fdaa\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/c68b7a442ee61d04ca58b2b5cb5ea7cb8230f84a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.