Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2024-56545

Description

In the Linux kernel, the following vulnerability has been resolved:HID: hyperv: streamline driver probe to avoid devres issuesIt was found that unloading 'hid_hyperv' module results in a devrescomplaint: ... hv_vmbus: unregistering driver hid_hyperv ------------[ cut here ]------------ WARNING: CPU: 2 PID: 3983 at drivers/base/devres.c:691 devres_release_group+0x1f2/0x2c0 ... Call Trace: ? devres_release_group+0x1f2/0x2c0 ? __warn+0xd1/0x1c0 ? devres_release_group+0x1f2/0x2c0 ? report_bug+0x32a/0x3c0 ? handle_bug+0x53/0xa0 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? devres_release_group+0x1f2/0x2c0 ? devres_release_group+0x90/0x2c0 ? rcu_is_watching+0x15/0xb0 ? __pfx_devres_release_group+0x10/0x10 hid_device_remove+0xf5/0x220 device_release_driver_internal+0x371/0x540 ? klist_put+0xf3/0x170 bus_remove_device+0x1f1/0x3f0 device_del+0x33f/0x8c0 ? __pfx_device_del+0x10/0x10 ? cleanup_srcu_struct+0x337/0x500 hid_destroy_device+0xc8/0x130 mousevsc_remove+0xd2/0x1d0 [hid_hyperv] device_release_driver_internal+0x371/0x540 driver_detach+0xc5/0x180 bus_remove_driver+0x11e/0x2a0 ? __mutex_unlock_slowpath+0x160/0x5e0 vmbus_driver_unregister+0x62/0x2b0 [hv_vmbus] ...And the issue seems to be that the corresponding devres group is notallocated. Normally, devres_open_group() is called from__hid_device_probe() but Hyper-V HID driver overrides 'hid_dev->driver'with 'mousevsc_hid_driver' stub and basically re-implements__hid_device_probe() by calling hid_parse() and hid_hw_start() but notdevres_open_group(). hid_device_probe() does not call __hid_device_probe()for it. Later, when the driver is removed, hid_device_remove() callsdevres_release_group() as it doesn't check whether hdev->driver wasinitially overridden or not.The issue seems to be related to the commit 62c68e7cee33 ("HID: ensuretimely release of driver-allocated resources") but the commit itself seemsto be correct.Fix the issue by dropping the 'hid_dev->driver' override and usinghid_register_driver()/hid_unregister_driver() instead. Alternatively, itwould have been possible to rely on the default handling butHID_CONNECT_DEFAULT implies HID_CONNECT_HIDRAW and it doesn't seem to workfor mousevsc as-is.

POC

Reference

No PoCs from references.

Github

- https://github.com/cku-heise/euvd-api-doc