| Message ID | 20240220192421.35003-1-yuxuan.luo@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2023-6039 | expand |
On 2/20/24 12:24 PM, Yuxuan Luo wrote: > [Impact] > A use-after-free flaw was found in lan78xx_disconnect in > drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx > in the Linux Kernel. This flaw allows a local attacker to crash the > system when the LAN78XX USB device detaches. > > [Backport] > It depends on a kernel clock function, timer_shutdown_sync(). Since > this function might be used widely in the future given it is under > include/linux directory, backporting the new kernel function is > preferred over expanding it. > > For generic kernel, the fix commit has a conflict at the > netif_napi_del(&dev->napi); line; however, it is already included in the > OEM-6.1 tree, so the fix commit can be cherry picked cleanly. > > Additionally, there were some namespace conflicts when building armhf > and arm64 kernels for generic kernel, since OEM-6.1 does not have to > worry about those two archs, three commits from the patch set for > generic kernel solving the issue is not included. > > [Test] > Compile and boot tested. > > [Potential Regression] > It is not an easy task to assess the regression potential as 7 more > out-of-scope patches are introduced, proceed with caution. > > Duoming Zhou (1): > net: usb: lan78xx: reorder cleanup operations to avoid UAF bugs > > Thomas Gleixner (7): > timers: Use del_timer_sync() even on UP > timers: Update kernel-doc for various functions > timers: Rename del_timer_sync() to timer_delete_sync() > timers: Rename del_timer() to timer_delete() > timers: Split [try_to_]del_timer[_sync]() to prepare for shutdown mode > timers: Add shutdown mechanism to the internal functions > timers: Provide timer_shutdown[_sync]() > > drivers/net/usb/lan78xx.c | 7 +- > include/linux/timer.h | 35 +++- > kernel/time/timer.c | 365 ++++++++++++++++++++++++++++---------- > 3 files changed, 305 insertions(+), 102 deletions(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
Yuxuan Luo kirjoitti 20.2.2024 klo 21.24: > [Impact] > A use-after-free flaw was found in lan78xx_disconnect in > drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx > in the Linux Kernel. This flaw allows a local attacker to crash the > system when the LAN78XX USB device detaches. > > [Backport] > It depends on a kernel clock function, timer_shutdown_sync(). Since > this function might be used widely in the future given it is under > include/linux directory, backporting the new kernel function is > preferred over expanding it. > > For generic kernel, the fix commit has a conflict at the > netif_napi_del(&dev->napi); line; however, it is already included in the > OEM-6.1 tree, so the fix commit can be cherry picked cleanly. > > Additionally, there were some namespace conflicts when building armhf > and arm64 kernels for generic kernel, since OEM-6.1 does not have to > worry about those two archs, three commits from the patch set for > generic kernel solving the issue is not included. > > [Test] > Compile and boot tested. > > [Potential Regression] > It is not an easy task to assess the regression potential as 7 more > out-of-scope patches are introduced, proceed with caution. > > Duoming Zhou (1): > net: usb: lan78xx: reorder cleanup operations to avoid UAF bugs > > Thomas Gleixner (7): > timers: Use del_timer_sync() even on UP > timers: Update kernel-doc for various functions > timers: Rename del_timer_sync() to timer_delete_sync() > timers: Rename del_timer() to timer_delete() > timers: Split [try_to_]del_timer[_sync]() to prepare for shutdown mode > timers: Add shutdown mechanism to the internal functions > timers: Provide timer_shutdown[_sync]() > > drivers/net/usb/lan78xx.c | 7 +- > include/linux/timer.h | 35 +++- > kernel/time/timer.c | 365 ++++++++++++++++++++++++++++---------- > 3 files changed, 305 insertions(+), 102 deletions(-) > applied to oem-6.1, thanks