APPLIED: [SRU][J/F][PATCH 0/1] CVE-2023-52629

Stefan Bader stefan.bader at canonical.com
Fri Jul 19 08:48:14 UTC 2024 

On 08.07.24 17:37, Bethany Jamison wrote:
> [Impact]
> 
> sh: push-switch: Reorder cleanup operations to avoid use-after-free bug
> 
> The original code puts flush_work() before timer_shutdown_sync()
> in switch_drv_remove(). Although we use flush_work() to stop
> the worker, it could be rescheduled in switch_timer(). As a result,
> a use-after-free bug can occur. The details are shown below:
> 
>        (cpu 0)                    |      (cpu 1)
> switch_drv_remove()              |
>   flush_work()                    |
>    ...                            |  switch_timer // timer
>                                   |   schedule_work(&psw->work)
>   timer_shutdown_sync()           |
>   ...                             |  switch_work_handler // worker
>   kfree(psw) // free              |
>                                   |   psw->state = 0 // use
> 
> This patch puts timer_shutdown_sync() before flush_work() to
> mitigate the bugs. As a result, the worker and timer will be
> stopped safely before the deallocate operations.
> 
> [Fix]
> 
> Noble:	not affected
> Jammy:	Backported - context conflict with neighboring line
> Focal:	Jammy patch applied cleanly
> Bionic:	fix sent to esm ML
> Xenial:	fix sent to esm ML
> Trusty: not going to be fixed by us
> 
> [Test Case]
> 
> Compile and boot tested
> 
> [Where problems could occur]
> 
> This fix affects those who use the push-switch framework, an issue
> with this fix would be visible to the user via unpredicted system
> behavior or a system crash.
> 
> Duoming Zhou (1):
>    sh: push-switch: Reorder cleanup operations to avoid use-after-free
>      bug
> 
>   arch/sh/drivers/push-switch.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 

Applied to jammy,focal:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240719/5bf18a42/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240719/5bf18a42/attachment-0001.sig>

More information about the kernel-team mailing list