| Message ID | 20240708153800.16332-1-bethany.jamison@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2023-52629 | expand |
On Mon, Jul 08, 2024 at 10:37:59AM -0500, Bethany Jamison wrote: > [Impact] > > sh: push-switch: Reorder cleanup operations to avoid use-after-free bug > > The original code puts flush_work() before timer_shutdown_sync() > in switch_drv_remove(). Although we use flush_work() to stop > the worker, it could be rescheduled in switch_timer(). As a result, > a use-after-free bug can occur. The details are shown below: > > (cpu 0) | (cpu 1) > switch_drv_remove() | > flush_work() | > ... | switch_timer // timer > | schedule_work(&psw->work) > timer_shutdown_sync() | > ... | switch_work_handler // worker > kfree(psw) // free | > | psw->state = 0 // use > > This patch puts timer_shutdown_sync() before flush_work() to > mitigate the bugs. As a result, the worker and timer will be > stopped safely before the deallocate operations. > > [Fix] > > Noble: not affected > Jammy: Backported - context conflict with neighboring line > Focal: Jammy patch applied cleanly > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not going to be fixed by us > > [Test Case] > > Compile and boot tested > > [Where problems could occur] > > This fix affects those who use the push-switch framework, an issue > with this fix would be visible to the user via unpredicted system > behavior or a system crash. > > Duoming Zhou (1): > sh: push-switch: Reorder cleanup operations to avoid use-after-free > bug > > arch/sh/drivers/push-switch.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Acked-by: Manuel Diewald <manuel.diewald@canonical.com>
Acked-by: Noah Wager <noah.wager@canonical.com> On Mon, Jul 08, 2024 at 10:37:59AM -0500, Bethany Jamison wrote: > [Impact] > > sh: push-switch: Reorder cleanup operations to avoid use-after-free bug > > The original code puts flush_work() before timer_shutdown_sync() > in switch_drv_remove(). Although we use flush_work() to stop > the worker, it could be rescheduled in switch_timer(). As a result, > a use-after-free bug can occur. The details are shown below: > > (cpu 0) | (cpu 1) > switch_drv_remove() | > flush_work() | > ... | switch_timer // timer > | schedule_work(&psw->work) > timer_shutdown_sync() | > ... | switch_work_handler // worker > kfree(psw) // free | > | psw->state = 0 // use > > This patch puts timer_shutdown_sync() before flush_work() to > mitigate the bugs. As a result, the worker and timer will be > stopped safely before the deallocate operations. > > [Fix] > > Noble: not affected > Jammy: Backported - context conflict with neighboring line > Focal: Jammy patch applied cleanly > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not going to be fixed by us > > [Test Case] > > Compile and boot tested > > [Where problems could occur] > > This fix affects those who use the push-switch framework, an issue > with this fix would be visible to the user via unpredicted system > behavior or a system crash. > > Duoming Zhou (1): > sh: push-switch: Reorder cleanup operations to avoid use-after-free > bug > > arch/sh/drivers/push-switch.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 08.07.24 17:37, Bethany Jamison wrote: > [Impact] > > sh: push-switch: Reorder cleanup operations to avoid use-after-free bug > > The original code puts flush_work() before timer_shutdown_sync() > in switch_drv_remove(). Although we use flush_work() to stop > the worker, it could be rescheduled in switch_timer(). As a result, > a use-after-free bug can occur. The details are shown below: > > (cpu 0) | (cpu 1) > switch_drv_remove() | > flush_work() | > ... | switch_timer // timer > | schedule_work(&psw->work) > timer_shutdown_sync() | > ... | switch_work_handler // worker > kfree(psw) // free | > | psw->state = 0 // use > > This patch puts timer_shutdown_sync() before flush_work() to > mitigate the bugs. As a result, the worker and timer will be > stopped safely before the deallocate operations. > > [Fix] > > Noble: not affected > Jammy: Backported - context conflict with neighboring line > Focal: Jammy patch applied cleanly > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not going to be fixed by us > > [Test Case] > > Compile and boot tested > > [Where problems could occur] > > This fix affects those who use the push-switch framework, an issue > with this fix would be visible to the user via unpredicted system > behavior or a system crash. > > Duoming Zhou (1): > sh: push-switch: Reorder cleanup operations to avoid use-after-free > bug > > arch/sh/drivers/push-switch.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > Applied to jammy,focal:linux/master-next. Thanks. -Stefan
[Impact] sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations. [Fix] Noble: not affected Jammy: Backported - context conflict with neighboring line Focal: Jammy patch applied cleanly Bionic: fix sent to esm ML Xenial: fix sent to esm ML Trusty: not going to be fixed by us [Test Case] Compile and boot tested [Where problems could occur] This fix affects those who use the push-switch framework, an issue with this fix would be visible to the user via unpredicted system behavior or a system crash. Duoming Zhou (1): sh: push-switch: Reorder cleanup operations to avoid use-after-free bug arch/sh/drivers/push-switch.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)