[SRU][F 0/16][J 0/1][PATCH v3] CVE-2024-35887

Massimiliano Pellizzer massimiliano.pellizzer at canonical.com
Fri Nov 29 17:00:01 UTC 2024 

[Impact]

ax25: fix use-after-free bugs caused by ax25_ds_del_timer

When the ax25 device is detaching, the ax25_dev_device_down()
calls ax25_ds_del_timer() to cleanup the slave_timer. When
the timer handler is running, the ax25_ds_del_timer() that
calls del_timer() in it will return directly. As a result,
the use-after-free bugs could happen.

In order to mitigate bugs, when the device is detaching, use
timer_shutdown_sync() to stop the timer.

[Fix]

Noble:  Fixed
Jammy:  Cherry picked from mainline

Focal:
- Clean cherry pick of 8fd8ad5c5dfc (mainline): cherry picked since
  it provides the definition of lockdep_assert_preemption_enabled()
- Clean cherry pick of c725dafc95f1 (mainline): cherry picked since it
  is a prereq for 8553b5f2774a
- Backported the patchset [1], since it provides timer_shutdown_sync(),
  which is necessary to apply the fix commit
    - Backported b0b0aa5d858d from mainline
    - Cherry picked 80b55772d41d from mainline
    - Cherry picked 73737a5833ac from mainline
    - Backported 6e1fc2591f11 from mainline
    - Backported 9a5a30568697 from mainline
    - Backported 82ed6f7ef58f from mainline
    - 14f043f1340b already backported via stable updates
    - 168f6b6ffbee already backported via stable updates
    - 9b13df3fb64e already backported via stable updates
    - Cherry picked bb663f0f3c39 from mainline
    - Backported 87bdd932e858 from mainline
    - Cherry picked d02e382cef06 from mainline
    - Backported 8553b5f2774a from mainline
    - Cherry picked 0cc04e80458a from mainline
    - Cherry picked f571faf6e443 from mainline
    - Backported a31323bef2b6 from mainline
- Cherry pick of the fix commit from mainline.

Bionic: Work in progress
Xenial: Work in progress

[Test Case]

Compile and boot tested.
Since the patch set significantly modifies the "timers" subsystem I also
used kselftest with target "timers" to make sure the patch set does not
introduce any regression.

[Where problems could occur]

The fix affects the net/ax25, and (for focal) the core timer subsystem.
In Jammy a regression is not likely.
In Focal, since the core timer subsystem has been modified
significantly, the entire kernel could be impacted. This could lead to
widespread timer failures, causing system instability and kernel
crashes.

[Note]

The fix for the CVE uses the function timer_shutdown_sync(), which is
safe to use in pretty much every context.
This function is not implemented in Focal. The closest function to
timer_shutdown_sync(), in Focal, is timer_delete_sync() which has strict
requirements:

   Synchronization rules: Callers must prevent restarting of the timer,
   otherwise this function is meaningless. It must not be called from
   interrupt contexts unless the timer is an irqsafe one. The caller must
   not hold locks which would prevent completion of the timer's callback
   function. The timer's handler must not call add_timer_on(). Upon exit
   the timer is not queued and the handler is not running on any CPU.

   For !irqsafe timers, the caller must not hold locks that are held in
   interrupt context.

and does not implement the shutdown logic implemented by
timer_shutdown_sync().
For these reasons I decided to backport also patches related to timers.

[Changes between v1 and v2]

Removed the following superflows change in [F][PATCH 4/9]:

-     WARN_ON(in_irq() && !(timer->flags & TIMER_IRQSAFE));
+     WARN_ON(hardirq_count() && !(timer->flags & TIMER_IRQSAFE));

as in_irq() is defined as:

#define in_irq() (hardirq_count())

[Changes betweeen v2 and v3]

Backported more prereqs from [1].

[1] https://lore.kernel.org/all/20221123201625.314230270@linutronix.de/T/#u

Ahmed S. Darwish (1):
  lockdep: Add preemption enabled/disabled assertion APIs

Duoming Zhou (1):
  ax25: fix use-after-free bugs caused by ax25_ds_del_timer

Sebastian Andrzej Siewior (1):
  timers: Don't block on ->expiry_lock for TIMER_IRQSAFE timers

Steven Rostedt (Google) (4):
  ARM: spear: Do not use timer namespace for timer_shutdown() function
  clocksource/drivers/arm_arch_timer: Do not use timer namespace for
    timer_shutdown() function
  clocksource/drivers/sp804: Do not use timer namespace for
    timer_shutdown() function
  timers: Update the documentation to reflect on the new
    timer_shutdown() API

Thomas Gleixner (9):
  Documentation: Remove bogus claim about del_timer_sync()
  timers: Get rid of del_singleshot_timer_sync()
  timers: Replace BUG_ON()s
  timers: Rename del_timer() to timer_delete()
  Documentation: Replace del_timer/del_timer_sync()
  timers: Silently ignore timers with a NULL function
  timers: Split [try_to_]del_timer[_sync]() to prepare for shutdown mode
  timers: Add shutdown mechanism to the internal functions
  timers: Provide timer_shutdown[_sync]()

 .../RCU/Design/Requirements/Requirements.html |   2 +-
 Documentation/core-api/local_ops.rst          |   2 +-
 Documentation/kernel-hacking/locking.rst      |  18 +-
 Documentation/timers/hrtimers.rst             |   2 +-
 .../it_IT/kernel-hacking/locking.rst          |  14 +-
 arch/arm/mach-spear/time.c                    |   8 +-
 drivers/char/tpm/tpm-dev-common.c             |   4 +-
 drivers/clocksource/arm_arch_timer.c          |  12 +-
 drivers/clocksource/timer-sp804.c             |   6 +-
 drivers/misc/sgi-xp/xpc_partition.c           |   2 +-
 drivers/staging/wlan-ng/hfa384x_usb.c         |   4 +-
 drivers/staging/wlan-ng/prism2usb.c           |   6 +-
 include/linux/lockdep.h                       |  19 ++
 include/linux/timer.h                         |  17 +-
 kernel/time/timer.c                           | 322 ++++++++++++++----
 lib/Kconfig.debug                             |   1 +
 net/ax25/ax25_dev.c                           |   2 +-
 net/sunrpc/xprt.c                             |   2 +-
 18 files changed, 343 insertions(+), 100 deletions(-)

-- 
2.43.0

More information about the kernel-team mailing list