[SRU][J/F][PATCH 0/1] CVE-2023-52629

Mon Jul 8 15:37:59 UTC 2024

[Impact]

sh: push-switch: Reorder cleanup operations to avoid use-after-free bug

The original code puts flush_work() before timer_shutdown_sync()
in switch_drv_remove(). Although we use flush_work() to stop
the worker, it could be rescheduled in switch_timer(). As a result,
a use-after-free bug can occur. The details are shown below:

      (cpu 0)                    |      (cpu 1)
switch_drv_remove()              |
 flush_work()                    |
  ...                            |  switch_timer // timer
                                 |   schedule_work(&psw->work)
 timer_shutdown_sync()           |
 ...                             |  switch_work_handler // worker
 kfree(psw) // free              |
                                 |   psw->state = 0 // use

This patch puts timer_shutdown_sync() before flush_work() to
mitigate the bugs. As a result, the worker and timer will be
stopped safely before the deallocate operations.

[Fix]

Noble:	not affected
Jammy:	Backported - context conflict with neighboring line
Focal:	Jammy patch applied cleanly
Bionic:	fix sent to esm ML
Xenial:	fix sent to esm ML
Trusty: not going to be fixed by us

[Test Case]

Compile and boot tested

[Where problems could occur]

This fix affects those who use the push-switch framework, an issue
with this fix would be visible to the user via unpredicted system 
behavior or a system crash.

Duoming Zhou (1):
  sh: push-switch: Reorder cleanup operations to avoid use-after-free
    bug

 arch/sh/drivers/push-switch.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.34.1