Bugzilla – Bug 1025626
VUL-0: CVE-2017-6001: kernel-source: Incomplete fix for CVE-2016-6786: perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
Last modified: 2022-03-31 08:09:03 UTC
Ref: http://seclists.org/oss-sec/2017/q1/446 ============================================= Hi The original fix for CVE-2016-6786 ws incomplete. Upstream has commited https://git.kernel.org/linus/321027c1fe77f892f4ea07846aeae08cefbbb290 which is in v4.10-rc4 (and also backported to 4.9.x in v4.9.7). This has been assigned a new CVE identifier: CVE-2017-6001 (assigned via -> https://cveform.mitre.org/). Commit message reads as: commit 321027c1fe77f892f4ea07846aeae08cefbbb290 Author: Peter Zijlstra <peterz () infradead org> Date: Wed Jan 11 21:09:50 2017 +0100 perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race Di Shen reported a race between two concurrent sys_perf_event_open() calls where both try and move the same pre-existing software group into a hardware context. The problem is exactly that described in commit: f63a8daa5812 ("perf: Fix event->ctx locking") ... where, while we wait for a ctx->mutex acquisition, the event->ctx relation can have changed under us. That very same commit failed to recognise sys_perf_event_context() as an external access vector to the events and thereby didn't apply the established locking rules correctly. So while one sys_perf_event_open() call is stuck waiting on mutex_lock_double(), the other (which owns said locks) moves the group about. So by the time the former sys_perf_event_open() acquires the locks, the context we've acquired is stale (and possibly dead). Apply the established locking rules as per perf_event_ctx_lock_nested() to the mutex_lock_double() for the 'move_group' case. This obviously means we need to validate state after we acquire the locks. Reported-by: Di Shen (Keen Lab) Tested-by: John Dias <joaodias () google com> Signed-off-by: Peter Zijlstra (Intel) <peterz () infradead org> Cc: Alexander Shishkin <alexander.shishkin () linux intel com> Cc: Arnaldo Carvalho de Melo <acme () kernel org> Cc: Arnaldo Carvalho de Melo <acme () redhat com> Cc: Jiri Olsa <jolsa () redhat com> Cc: Kees Cook <keescook () chromium org> Cc: Linus Torvalds <torvalds () linux-foundation org> Cc: Min Chong <mchong () google com> Cc: Peter Zijlstra <peterz () infradead org> Cc: Stephane Eranian <eranian () google com> Cc: Thomas Gleixner <tglx () linutronix de> Cc: Vince Weaver <vincent.weaver () maine edu> Fixes: f63a8daa5812 ("perf: Fix event->ctx locking") Link: http://lkml.kernel.org/r/20170106131444.GZ3174 () twins programming kicks-ass net Signed-off-by: Ingo Molnar <mingo () kernel org> Regards, Salvatore ============================================= https://security-tracker.debian.org/tracker/CVE-2017-6001
bugbot adjusting priority
we so far did not backport the other fix, so we are not affected. Tony, please backport both and mention both CVEs.
(In reply to Marcus Meissner from comment #3) > we so far did not backport the other fix, so we are not affected. > > Tony, please backport both and mention both CVEs. I'll look but these changes are stacked on top of so many prior locking changes that would need to be ported that it's complex.
Since we decided to not backport the other fix (bsc#1015160), we won't backport this one either. Closing as WONTFIX.