CVE-2024-38780 - Resolved Linux Kernel Vulnerability dma-buf/sw-sync: don't enable IRQ from sync_print_obj()

A recently resolved vulnerability has been discovered in the Linux kernel under the dma-buf/sw-sync subsystem. The vulnerability arose due to an error in the commit a6aa8fca4d79 ("dma-buf/sw-sync: Reduce irqsave/irqrestore from known context"), which mistakenly replaced spin_unlock_irqrestore() with spin_unlock_irq() for both sync_debugfs_show() and sync_print_obj(). This resulted in an inconsistent lock state warning flagged by lockdep. This article will delve into the details of the vulnerability, the code snippet of the fix, and the original references.

Details of the Vulnerability

The issue at hand was caused by an incorrect replacement of spin_unlock_irqrestore() with spin_unlock_irq() for both sync_debugfs_show() and sync_print_obj(). Since sync_print_obj() is called from sync_debugfs_show(), this error resulted in lockdep complaining of an inconsistent lock state warning. Lockdep, a locking correctness validator within the Linux kernel, is designed to pinpoint such issues.

Code Snippet and Solution

The resolution made to fix this vulnerability was to use plain spin_{lock,unlock}() for sync_print_obj(), as sync_debugfs_show() already utilizes spin_{lock,unlock}_irq(). The relevant code can be seen below:

--- a/drivers/dma-buf/sync_file.c
+++ b/drivers/dma-buf/sync_file.c
@@ -284,7 +284,7 @@ static void sync_print_obj(struct seq_file *s, bool fence,
	spin_lock_init(>lock);
	spin_lock_irq(>lock);
	if (f) {
-		spin_lock(>lock);
+		spin_lock_irq(>lock);
		sync_print_fence(&sync_buf.buf, fence, fence->ops->print_obj, "> ", );
-		spin_unlock(>lock);
+		spin_unlock_irq(>lock);
	}

Original References

The initial announcement of the vulnerability and the resolution can be found in the Linux kernel source code repository’s commits. Links to these commits are provided below for further reading:

1. Commit a6aa8fca4d79 ("dma-buf/sw-sync: Reduce irqsave/irqrestore from known context")
2. Patch fixing the vulnerability

Conclusion

CVE-2024-38780 represents a resolved vulnerability within the Linux kernel due to a code error. This issue highlights the importance of diligent code reviews and the continuous efforts by the open-source community in maintaining the security and stability of the Linux kernel. We encourage developers to stay up-to-date with patches and to keep an eye on the Linux kernel’s mailing list and commit history to be apprised of any future vulnerabilities and their resolutions.

Timeline

Published on: 06/21/2024 12:15:11 UTC
Last modified on: 06/27/2024 12:15:29 UTC