ACK: [SRU][M/J/F][PATCH 0/1] CVE-2024-24861

Stefan Bader stefan.bader at canonical.com
Fri May 10 12:38:23 UTC 2024 

On 30.04.24 19:33, Bethany Jamison wrote:
> [Impact]
> 
> A race condition was found in the Linux kernel's media/xc4000 device driver
> in xc4000 xc4000_get_frequency() function. This can result in return value
> overflow issue, possibly leading to malfunction or denial of service issue.
> 
> media: xc4000: Fix atomicity violation in xc4000_get_frequency
> 
> In xc4000_get_frequency():
> 	*freq = priv->freq_hz + priv->freq_offset;
> The code accesses priv->freq_hz and priv->freq_offset without holding any
> lock.
> 
> In xc4000_set_params():
> 	// Code that updates priv->freq_hz and priv->freq_offset
> 	...
> 
> xc4000_get_frequency() and xc4000_set_params() may execute concurrently,
> risking inconsistent reads of priv->freq_hz and priv->freq_offset. Since
> these related data may update during reading, it can result in incorrect
> frequency calculation, leading to atomicity violations.
> 
> This possible bug is found by an experimental static analysis tool
> developed by our team, BassCheck[1]. This tool analyzes the locking APIs
> to extract function pairs that can be concurrently executed, and then
> analyzes the instructions in the paired functions to identify possible
> concurrency bugs including data races and atomicity violations. The above
> possible bug is reported when our tool analyzes the source code of
> Linux 6.2.
> 
> To address this issue, it is proposed to add a mutex lock pair in
> xc4000_get_frequency() to ensure atomicity. With this patch applied, our
> tool no longer reports the possible bug, with the kernel configuration
> allyesconfig for x86_64. Due to the lack of associated hardware, we cannot
> test the patch in runtime testing, and just verify it according to the
> code logic.
> 
> [Fix]
> 
> Mantic:	Clean cherry-pick from linux.6.6.y
> Jammy:	Mantic patch applied cleanly
> Focal:	Mantic patch applied cleanly
> Bionic:	fix sent to esm ML
> Xenial:	fix sent to esm ML
> Trusty:	not going to be fixed by us
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use the Xceive XC4000 "QAM/8VSB single chip
> tuner" driver when accessing the frequency value, an issue with this fix
> would be visable to the user via unpredicted system behavior or a system
> crash.
> 
> Gui-Dong Han (1):
>    media: xc4000: Fix atomicity violation in xc4000_get_frequency
> 
>   drivers/media/tuners/xc4000.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 

Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240510/446a769c/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240510/446a769c/attachment-0001.sig>

More information about the kernel-team mailing list