Bug 1025626 - (CVE-2017-6001) VUL-0: CVE-2017-6001: kernel-source: Incomplete fix for CVE-2016-6786: perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
(CVE-2017-6001)
VUL-0: CVE-2017-6001: kernel-source: Incomplete fix for CVE-2016-6786: perf/c...
Status: RESOLVED WONTFIX
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: unspecified
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/180623/
CVSSv2:NVD:CVE-2017-6001:7.6:(AV:N/A...
:
Depends on:
Blocks: CVE-2016-6786
  Show dependency treegraph
 
Reported: 2017-02-16 10:04 UTC by Mikhail Kasimov
Modified: 2022-03-31 08:09 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-02-16 10:04:13 UTC
Ref: http://seclists.org/oss-sec/2017/q1/446
=============================================
Hi

The original fix for CVE-2016-6786 ws incomplete. Upstream has
commited

https://git.kernel.org/linus/321027c1fe77f892f4ea07846aeae08cefbbb290

which is in v4.10-rc4 (and also backported to 4.9.x in v4.9.7). This
has been assigned a new CVE identifier: CVE-2017-6001 (assigned via ->
https://cveform.mitre.org/).

Commit message reads as:

    commit 321027c1fe77f892f4ea07846aeae08cefbbb290
    Author: Peter Zijlstra <peterz () infradead org>
    Date:   Wed Jan 11 21:09:50 2017 +0100

        perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
        
        Di Shen reported a race between two concurrent sys_perf_event_open()
        calls where both try and move the same pre-existing software group
        into a hardware context.
        
        The problem is exactly that described in commit:
        
          f63a8daa5812 ("perf: Fix event->ctx locking")
        
        ... where, while we wait for a ctx->mutex acquisition, the event->ctx
        relation can have changed under us.
        
        That very same commit failed to recognise sys_perf_event_context() as an
        external access vector to the events and thereby didn't apply the
        established locking rules correctly.
        
        So while one sys_perf_event_open() call is stuck waiting on
        mutex_lock_double(), the other (which owns said locks) moves the group
        about. So by the time the former sys_perf_event_open() acquires the
        locks, the context we've acquired is stale (and possibly dead).
        
        Apply the established locking rules as per perf_event_ctx_lock_nested()
        to the mutex_lock_double() for the 'move_group' case. This obviously means
        we need to validate state after we acquire the locks.
        
        Reported-by: Di Shen (Keen Lab)
        Tested-by: John Dias <joaodias () google com>
        Signed-off-by: Peter Zijlstra (Intel) <peterz () infradead org>
        Cc: Alexander Shishkin <alexander.shishkin () linux intel com>
        Cc: Arnaldo Carvalho de Melo <acme () kernel org>
        Cc: Arnaldo Carvalho de Melo <acme () redhat com>
        Cc: Jiri Olsa <jolsa () redhat com>
        Cc: Kees Cook <keescook () chromium org>
        Cc: Linus Torvalds <torvalds () linux-foundation org>
        Cc: Min Chong <mchong () google com>
        Cc: Peter Zijlstra <peterz () infradead org>
        Cc: Stephane Eranian <eranian () google com>
        Cc: Thomas Gleixner <tglx () linutronix de>
        Cc: Vince Weaver <vincent.weaver () maine edu>
        Fixes: f63a8daa5812 ("perf: Fix event->ctx locking")
        Link: http://lkml.kernel.org/r/20170106131444.GZ3174 () twins programming kicks-ass net
        Signed-off-by: Ingo Molnar <mingo () kernel org>


Regards,
Salvatore
=============================================

https://security-tracker.debian.org/tracker/CVE-2017-6001
Comment 1 Swamp Workflow Management 2017-02-16 23:00:33 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2017-03-06 10:48:42 UTC
we so far did not backport the other fix, so we are not affected.

Tony, please backport both and mention both CVEs.
Comment 4 Tony Jones 2017-03-09 00:05:06 UTC
(In reply to Marcus Meissner from comment #3)
> we so far did not backport the other fix, so we are not affected.
> 
> Tony, please backport both and mention both CVEs.

I'll look but these changes are stacked on top of so many prior locking changes that would need to be ported that it's complex.
Comment 5 Gabriele Sonnu 2022-03-31 08:09:03 UTC
Since we decided to not backport the other fix (bsc#1015160), we won't backport this one either. Closing as WONTFIX.