[linux] 02/02: perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race (CVE-2017-6001)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat Feb 18 19:55:07 UTC 2017 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch jessie-security
in repository linux.

commit d5b00cd9857c9de15f0d5dfcfee4c86ce438214c
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Sat Feb 18 18:35:46 2017 +0100

    perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race (CVE-2017-6001)
---
 debian/changelog                                   |   2 +
 ...ix-concurrent-sys_perf_event_open-vs.-mov.patch | 156 +++++++++++++++++++++
 debian/patches/series                              |   1 +
 3 files changed, 159 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 746341c..677ff72 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
 linux (3.16.39-1+deb8u1) UNRELEASED; urgency=medium
 
   * perf: Fix event->ctx locking (CVE-2016-6786)
+  * perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
+    (CVE-2017-6001)
 
  -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 18 Feb 2017 18:26:58 +0100
 
diff --git a/debian/patches/bugfix/all/perf-core-Fix-concurrent-sys_perf_event_open-vs.-mov.patch b/debian/patches/bugfix/all/perf-core-Fix-concurrent-sys_perf_event_open-vs.-mov.patch
new file mode 100644
index 0000000..855254e
--- /dev/null
+++ b/debian/patches/bugfix/all/perf-core-Fix-concurrent-sys_perf_event_open-vs.-mov.patch
@@ -0,0 +1,156 @@
+From: Peter Zijlstra <peterz at infradead.org>
+Date: Wed, 11 Jan 2017 21:09:50 +0100
+Subject: perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
+Origin: https://git.kernel.org/linus/321027c1fe77f892f4ea07846aeae08cefbbb290
+
+Di Shen reported a race between two concurrent sys_perf_event_open()
+calls where both try and move the same pre-existing software group
+into a hardware context.
+
+The problem is exactly that described in commit:
+
+  f63a8daa5812 ("perf: Fix event->ctx locking")
+
+... where, while we wait for a ctx->mutex acquisition, the event->ctx
+relation can have changed under us.
+
+That very same commit failed to recognise sys_perf_event_context() as an
+external access vector to the events and thereby didn't apply the
+established locking rules correctly.
+
+So while one sys_perf_event_open() call is stuck waiting on
+mutex_lock_double(), the other (which owns said locks) moves the group
+about. So by the time the former sys_perf_event_open() acquires the
+locks, the context we've acquired is stale (and possibly dead).
+
+Apply the established locking rules as per perf_event_ctx_lock_nested()
+to the mutex_lock_double() for the 'move_group' case. This obviously means
+we need to validate state after we acquire the locks.
+
+Reported-by: Di Shen (Keen Lab)
+Tested-by: John Dias <joaodias at google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz at infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin at linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme at kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme at redhat.com>
+Cc: Jiri Olsa <jolsa at redhat.com>
+Cc: Kees Cook <keescook at chromium.org>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Min Chong <mchong at google.com>
+Cc: Peter Zijlstra <peterz at infradead.org>
+Cc: Stephane Eranian <eranian at google.com>
+Cc: Thomas Gleixner <tglx at linutronix.de>
+Cc: Vince Weaver <vincent.weaver at maine.edu>
+Fixes: f63a8daa5812 ("perf: Fix event->ctx locking")
+Link: http://lkml.kernel.org/r/20170106131444.GZ3174@twins.programming.kicks-ass.net
+Signed-off-by: Ingo Molnar <mingo at kernel.org>
+[bwh: Backported to 3.16:
+ - Use ACCESS_ONCE() instead of READ_ONCE()
+ - Test perf_event::group_flags instead of group_caps
+ - Add the err_locked cleanup block, which we didn't need before
+ - Adjust context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ kernel/events/core.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 54 insertions(+), 4 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -7311,6 +7311,37 @@ static void mutex_lock_double(struct mut
+ 	mutex_lock_nested(b, SINGLE_DEPTH_NESTING);
+ }
+ 
++/*
++ * Variation on perf_event_ctx_lock_nested(), except we take two context
++ * mutexes.
++ */
++static struct perf_event_context *
++__perf_event_ctx_lock_double(struct perf_event *group_leader,
++			     struct perf_event_context *ctx)
++{
++	struct perf_event_context *gctx;
++
++again:
++	rcu_read_lock();
++	gctx = ACCESS_ONCE(group_leader->ctx);
++	if (!atomic_inc_not_zero(&gctx->refcount)) {
++		rcu_read_unlock();
++		goto again;
++	}
++	rcu_read_unlock();
++
++	mutex_lock_double(&gctx->mutex, &ctx->mutex);
++
++	if (group_leader->ctx != gctx) {
++		mutex_unlock(&ctx->mutex);
++		mutex_unlock(&gctx->mutex);
++		put_ctx(gctx);
++		goto again;
++	}
++
++	return gctx;
++}
++
+ /**
+  * sys_perf_event_open - open a performance event, associate it to a task/cpu
+  *
+@@ -7522,14 +7553,31 @@ SYSCALL_DEFINE5(perf_event_open,
+ 	}
+ 
+ 	if (move_group) {
+-		gctx = group_leader->ctx;
++		gctx = __perf_event_ctx_lock_double(group_leader, ctx);
++
++		/*
++		 * Check if we raced against another sys_perf_event_open() call
++		 * moving the software group underneath us.
++		 */
++		if (!(group_leader->group_flags & PERF_GROUP_SOFTWARE)) {
++			/*
++			 * If someone moved the group out from under us, check
++			 * if this new event wound up on the same ctx, if so
++			 * its the regular !move_group case, otherwise fail.
++			 */
++			if (gctx != ctx) {
++				err = -EINVAL;
++				goto err_locked;
++			} else {
++				perf_event_ctx_unlock(group_leader, gctx);
++				move_group = 0;
++			}
++		}
+ 
+ 		/*
+ 		 * See perf_event_ctx_lock() for comments on the details
+ 		 * of swizzling perf_event::ctx.
+ 		 */
+-		mutex_lock_double(&gctx->mutex, &ctx->mutex);
+-
+ 		perf_remove_from_context(group_leader, false);
+ 
+ 		/*
+@@ -7569,10 +7617,8 @@ SYSCALL_DEFINE5(perf_event_open,
+ 	perf_install_in_context(ctx, event, event->cpu);
+ 	perf_unpin_context(ctx);
+ 
+-	if (move_group) {
+-		mutex_unlock(&gctx->mutex);
+-		put_ctx(gctx);
+-	}
++	if (move_group)
++		perf_event_ctx_unlock(group_leader, gctx);
+ 	mutex_unlock(&ctx->mutex);
+ 
+ 	put_online_cpus();
+@@ -7599,6 +7645,11 @@ SYSCALL_DEFINE5(perf_event_open,
+ 	fd_install(event_fd, event_file);
+ 	return event_fd;
+ 
++err_locked:
++	if (move_group)
++		perf_event_ctx_unlock(group_leader, gctx);
++	mutex_unlock(&ctx->mutex);
++	fput(event_file);
+ err_context:
+ 	perf_unpin_context(ctx);
+ 	put_ctx(ctx);
diff --git a/debian/patches/series b/debian/patches/series
index 1c96fa3..7e19945 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -680,6 +680,7 @@ bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch
 bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch
 bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch
 bugfix/all/perf-Fix-event-ctx-locking.patch
+bugfix/all/perf-core-Fix-concurrent-sys_perf_event_open-vs.-mov.patch
 
 # Fix ABI changes
 debian/of-fix-abi-changes.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list