commit 848879d708619c17e156e7567fb1d2b67abda39a
author Vaibhav Rustagi <vaibhavrustagi@google.com> Mon May 23 11:50:30 2022 -0700
committer COS Cherry Picker <cloud-image-release@prod.google.com> Mon May 23 22:29:50 2022 -0700
tree 15995434d1444868ee215f6ebb1152e314059205
parent 81aee4b8f3642a8dfb76d877d4b552aa765bf9ea

perf: Fix sys_perf_event_open() race against self

commit 3ac6487e584a1eb54071dbe1212e05b884136704 upstream.

Norbert reported that it's possible to race sys_perf_event_open() such
that the looser ends up in another context from the group leader,
triggering many WARNs.

The move_group case checks for races against itself, but the
!move_group case doesn't, seemingly relying on the previous
group_leader->ctx == ctx check. However, that check is racy due to not
holding any locks at that time.

Therefore, re-check the result after acquiring locks and bailing
if they no longer match.

Additionally, clarify the not_move_group case from the
move_group-vs-move_group race.

BUG=b/233371845
TEST=presubmit
SOURCE=UPSTREAM(https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-5.4/perf-fix-sys_perf_event_open-race-against-self.patch?id=5c1c22120ab62c2b693bc6cee6cb2ee52a3662d1)
RELEASE_NOTE=Fixed CVE-2022-1729 in the Linux Kernel.

cos-patch: security-high
Fixes: f63a8daa5812 ("perf: Fix event->ctx locking")
Reported-by: Norbert Slusarek <nslusarek@gmx.net>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Id32b99544094c822854b57e55d83fd540796434f
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/33085
Reviewed-by: Meena Shanmugam <meenashanmugam@google.com>
Reviewed-by: Oleksandr Tymoshenko <ovt@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Main-Branch-Verified: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>

kernel/events/core.c

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 18d7966..f491cc0 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -11146,6 +11146,9 @@
 		 * Do not allow to attach to a group in a different task
 		 * or CPU context. If we're moving SW events, we'll fix
 		 * this up later, so allow that.
+		 *
+		 * Racy, not holding group_leader->ctx->mutex, see comment with
+		 * perf_event_ctx_lock().
 		 */
 		if (!move_group && group_leader->ctx != ctx)
 			goto err_context;
@@ -11213,6 +11216,7 @@
 			} else {
 				perf_event_ctx_unlock(group_leader, gctx);
 				move_group = 0;
+				goto not_move_group;
 			}
 		}
 
@@ -11229,7 +11233,17 @@
 		}
 	} else {
 		mutex_lock(&ctx->mutex);
+
+		/*
+		 * Now that we hold ctx->lock, (re)validate group_leader->ctx == ctx,
+		 * see the group_leader && !move_group test earlier.
+		 */
+		if (group_leader && group_leader->ctx != ctx) {
+			err = -EINVAL;
+			goto err_locked;
+		}
 	}
+not_move_group:
 
 	if (ctx->task == TASK_TOMBSTONE) {
 		err = -ESRCH;