2.1 KiB
CVE-2024-39479
Description
In the Linux kernel, the following vulnerability has been resolved:drm/i915/hwmon: Get rid of devmWhen both hwmon and hwmon drvdata (on which hwmon depends) are devicemanaged resources, the expectation, on device unbind, is that hwmon will bereleased before drvdata. However, in i915 there are two separate codepaths, which both release either drvdata or hwmon and either can bereleased before the other. These code paths (for device unbind) are asfollows (see also the bug referenced below):Call Trace:release_nodes+0x11/0x70devres_release_group+0xb2/0x110component_unbind_all+0x8d/0xa0component_del+0xa5/0x140intel_pxp_tee_component_fini+0x29/0x40 [i915]intel_pxp_fini+0x33/0x80 [i915]i915_driver_remove+0x4c/0x120 [i915]i915_pci_remove+0x19/0x30 [i915]pci_device_remove+0x32/0xa0device_release_driver_internal+0x19c/0x200unbind_store+0x9c/0xb0andCall Trace:release_nodes+0x11/0x70devres_release_all+0x8a/0xc0device_unbind_cleanup+0x9/0x70device_release_driver_internal+0x1c1/0x200unbind_store+0x9c/0xb0This means that in i915, if use devm, we cannot gurantee that hwmon willalways be released before drvdata. Which means that we have a uaf if hwmonsysfs is accessed when drvdata has been released but hwmon hasn't.The only way out of this seems to be do get rid of devm_ and release/freeeverything explicitly during device unbind.v2: Change commit message and other minor code changesv3: Cleanup from i915_hwmon_register on error (Armin Wolf)v4: Eliminate potential static analyzer warning (Rodrigo) Eliminate fetch_and_zero (Jani)v5: Restore previous logic for ddat_gt->hwmon_dev error return (Andi)
POC
Reference
No PoCs from references.