From patchwork Tue Apr 30 17:33:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1929775 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VTS3k1c7vz23ny for ; Wed, 1 May 2024 03:33:53 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s1rMN-0006Zp-Gv; Tue, 30 Apr 2024 17:33:43 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s1rMJ-0006ZG-Op for kernel-team@lists.ubuntu.com; Tue, 30 Apr 2024 17:33:39 +0000 Received: from mail-io1-f69.google.com (mail-io1-f69.google.com [209.85.166.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 914903F2D0 for ; Tue, 30 Apr 2024 17:33:39 +0000 (UTC) Received: by mail-io1-f69.google.com with SMTP id ca18e2360f4ac-7dec9dbd40aso298107839f.1 for ; Tue, 30 Apr 2024 10:33:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714498418; x=1715103218; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4Bjfv8pTItT78WoMKNZahC6NkHXpUs88MaORdX4eDNE=; b=pCrViA16df1JzYoH8VrHP9e7DkJBBmOxM9OAk9ovGaHAij03wWYXPTMMNLuiLV9Sr3 NESZAz9YI24ZNXWhqr4fNLj0IpyfaP8Z1u57/RjNTo3ZsXGUhziAF8S1fccWmMnOPUac Ut7kxZGRGU5ZbOlXUWBR7V3vBb59pwRQ7cFxjQYNrpZPc7ww6ZmaHhNFxwdOVbimr0nT OxVZPe6t8uMq5GoGvAqTCmISoPj9fhRVkziOJJXGbLSvSELqTftCC6aRnLEBBredSynW i9AkmNrZTZccrwdv61a3HFi1cL51Z8vs9rk3ZyPO9rUqowQQ3WRhSYpE7GhWxpH+pZvv aUyA== X-Gm-Message-State: AOJu0YwRMjB3Mn737pXr0BB8N3CyopXyzOezU/TIVy8EQHI21btKBYCI re0FOfyTXjLsAKdo2nCrlNto8857ZxdrxlDfZfDxGWsd0PJ7WXtl+nDxYOjUBfULyCjQjP5amgJ jQZeScItDt4YRV6Wu7xqacDYDP6AMvy/0bCgG2ON4eDswvbMhuli2VnY8Jgo/ccNUlynJJBvrGh k2AjGCmHcdBxIz X-Received: by 2002:a5e:9812:0:b0:7dd:a16b:203e with SMTP id s18-20020a5e9812000000b007dda16b203emr27099ioj.14.1714498418046; Tue, 30 Apr 2024 10:33:38 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFsXtO5Md/AdysBcxjSgqDOHSUKCHE9cCBGum8Wty1xUiFnQXkiINDEot47Zb5XijjmetdLKg== X-Received: by 2002:a5e:9812:0:b0:7dd:a16b:203e with SMTP id s18-20020a5e9812000000b007dda16b203emr27079ioj.14.1714498417569; Tue, 30 Apr 2024 10:33:37 -0700 (PDT) Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net. [104.218.69.129]) by smtp.gmail.com with ESMTPSA id k1-20020a056638140100b004829e8e9456sm8128870jad.20.2024.04.30.10.33.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Apr 2024 10:33:37 -0700 (PDT) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][M/J/F][PATCH 1/1] media: xc4000: Fix atomicity violation in xc4000_get_frequency Date: Tue, 30 Apr 2024 12:33:35 -0500 Message-Id: <20240430173335.16606-2-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240430173335.16606-1-bethany.jamison@canonical.com> References: <20240430173335.16606-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Gui-Dong Han <2045gemini@gmail.com> [ Upstream commit 36d503ad547d1c75758a6fcdbec2806f1b6aeb41 ] In xc4000_get_frequency(): *freq = priv->freq_hz + priv->freq_offset; The code accesses priv->freq_hz and priv->freq_offset without holding any lock. In xc4000_set_params(): // Code that updates priv->freq_hz and priv->freq_offset ... xc4000_get_frequency() and xc4000_set_params() may execute concurrently, risking inconsistent reads of priv->freq_hz and priv->freq_offset. Since these related data may update during reading, it can result in incorrect frequency calculation, leading to atomicity violations. This possible bug is found by an experimental static analysis tool developed by our team, BassCheck[1]. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. The above possible bug is reported when our tool analyzes the source code of Linux 6.2. To address this issue, it is proposed to add a mutex lock pair in xc4000_get_frequency() to ensure atomicity. With this patch applied, our tool no longer reports the possible bug, with the kernel configuration allyesconfig for x86_64. Due to the lack of associated hardware, we cannot test the patch in runtime testing, and just verify it according to the code logic. [1] https://sites.google.com/view/basscheck/ Fixes: 4c07e32884ab ("[media] xc4000: Fix get_frequency()") Cc: stable@vger.kernel.org Reported-by: BassCheck Signed-off-by: Gui-Dong Han <2045gemini@gmail.com> Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin (cherry picked from commit dc5e4f240473b64f7b2f24424e96c92435ebd8d7 linux-6.6.y) CVE-2024-24861 Signed-off-by: Bethany Jamison --- drivers/media/tuners/xc4000.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/tuners/xc4000.c b/drivers/media/tuners/xc4000.c index 57ded9ff3f043..29bc63021c5aa 100644 --- a/drivers/media/tuners/xc4000.c +++ b/drivers/media/tuners/xc4000.c @@ -1515,10 +1515,10 @@ static int xc4000_get_frequency(struct dvb_frontend *fe, u32 *freq) { struct xc4000_priv *priv = fe->tuner_priv; + mutex_lock(&priv->lock); *freq = priv->freq_hz + priv->freq_offset; if (debug) { - mutex_lock(&priv->lock); if ((priv->cur_fw.type & (BASE | FM | DTV6 | DTV7 | DTV78 | DTV8)) == BASE) { u16 snr = 0; @@ -1529,8 +1529,8 @@ static int xc4000_get_frequency(struct dvb_frontend *fe, u32 *freq) return 0; } } - mutex_unlock(&priv->lock); } + mutex_unlock(&priv->lock); dprintk(1, "%s()\n", __func__);