ACK: [SRU][J/F][PATCH 0/1] CVE-2023-52629
Noah Wager
noah.wager at canonical.com
Tue Jul 9 02:22:09 UTC 2024
Acked-by: Noah Wager <noah.wager at canonical.com>
On Mon, Jul 08, 2024 at 10:37:59AM -0500, Bethany Jamison wrote:
> [Impact]
>
> sh: push-switch: Reorder cleanup operations to avoid use-after-free bug
>
> The original code puts flush_work() before timer_shutdown_sync()
> in switch_drv_remove(). Although we use flush_work() to stop
> the worker, it could be rescheduled in switch_timer(). As a result,
> a use-after-free bug can occur. The details are shown below:
>
> (cpu 0) | (cpu 1)
> switch_drv_remove() |
> flush_work() |
> ... | switch_timer // timer
> | schedule_work(&psw->work)
> timer_shutdown_sync() |
> ... | switch_work_handler // worker
> kfree(psw) // free |
> | psw->state = 0 // use
>
> This patch puts timer_shutdown_sync() before flush_work() to
> mitigate the bugs. As a result, the worker and timer will be
> stopped safely before the deallocate operations.
>
> [Fix]
>
> Noble: not affected
> Jammy: Backported - context conflict with neighboring line
> Focal: Jammy patch applied cleanly
> Bionic: fix sent to esm ML
> Xenial: fix sent to esm ML
> Trusty: not going to be fixed by us
>
> [Test Case]
>
> Compile and boot tested
>
> [Where problems could occur]
>
> This fix affects those who use the push-switch framework, an issue
> with this fix would be visible to the user via unpredicted system
> behavior or a system crash.
>
> Duoming Zhou (1):
> sh: push-switch: Reorder cleanup operations to avoid use-after-free
> bug
>
> arch/sh/drivers/push-switch.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> --
> 2.34.1
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list