APPLIED: [SRU][F/J][PATCH 0/1] CVE-2024-38630

Stefan Bader stefan.bader at canonical.com
Fri Sep 13 09:42:50 UTC 2024 

On 10.09.24 03:44, Koichiro Den wrote:
> [Impact]
> 
> watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger
> 
> When the cpu5wdt module is removing, the origin code uses del_timer() to
> de-activate the timer. If the timer handler is running, del_timer() could
> not stop it and will return directly. If the port region is released by
> release_region() and then the timer handler cpu5wdt_trigger() calls outb()
> to write into the region that is released, the use-after-free bug will
> happen.
> 
> Change del_timer() to timer_shutdown_sync() in order that the timer handler
> could be finished before the port region is released.
> 
> [Backport]
> 
> For Jammy, the fix commit was cleanly applied.
> For Focal, I adjusted context due to lack of timer_shutdown_sync(),
> which was introduced on upstream in the following patch series:
> 
>    [patch V3 00/17] timers: Provide timer_shutdown[_sync]()
>    https://lore.kernel.org/all/20221123201306.823305113@linutronix.de/]
> 
> Even though part of it was pulled in via stable upstream. I did not
> backport the rest here since it would introduce unnecessary changes.
> 
> [Fix]
> 
> Noble:  fixed via stable (pending)
> Jammy:  Cleanly applied
> Focal:  Backport - adjusted contexts, see [Backport]
> Bionic: fix sent to esm ML
> Xenial: fix sent to esm ML
> Trusty: won't fix
> 
> [Test case]
> 
> Compile and boot tested
> 
> [Where problems could occur]
> 
> This fix affects those who use SMA CPU5 watchdog card, an issue with
> with this fix would lead to UAF access to PCI IO resource immediately
> released on cpu5wdt module unload.
> 
> 
> Duoming Zhou (1):
>    watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger
> 
>   drivers/watchdog/cpu5wdt.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 

Applied to jammy,focal:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240913/00af4b04/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240913/00af4b04/attachment-0001.sig>

More information about the kernel-team mailing list