mbox series

[SRU,J/F,0/1] CVE-2023-52629

Message ID 20240708153800.16332-1-bethany.jamison@canonical.com
Headers show
Series CVE-2023-52629 | expand

Message

Bethany Jamison July 8, 2024, 3:37 p.m. UTC
[Impact]

sh: push-switch: Reorder cleanup operations to avoid use-after-free bug

The original code puts flush_work() before timer_shutdown_sync()
in switch_drv_remove(). Although we use flush_work() to stop
the worker, it could be rescheduled in switch_timer(). As a result,
a use-after-free bug can occur. The details are shown below:

      (cpu 0)                    |      (cpu 1)
switch_drv_remove()              |
 flush_work()                    |
  ...                            |  switch_timer // timer
                                 |   schedule_work(&psw->work)
 timer_shutdown_sync()           |
 ...                             |  switch_work_handler // worker
 kfree(psw) // free              |
                                 |   psw->state = 0 // use

This patch puts timer_shutdown_sync() before flush_work() to
mitigate the bugs. As a result, the worker and timer will be
stopped safely before the deallocate operations.

[Fix]

Noble:	not affected
Jammy:	Backported - context conflict with neighboring line
Focal:	Jammy patch applied cleanly
Bionic:	fix sent to esm ML
Xenial:	fix sent to esm ML
Trusty: not going to be fixed by us

[Test Case]

Compile and boot tested

[Where problems could occur]

This fix affects those who use the push-switch framework, an issue
with this fix would be visible to the user via unpredicted system 
behavior or a system crash.

Duoming Zhou (1):
  sh: push-switch: Reorder cleanup operations to avoid use-after-free
    bug

 arch/sh/drivers/push-switch.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Manuel Diewald July 8, 2024, 5:35 p.m. UTC | #1
On Mon, Jul 08, 2024 at 10:37:59AM -0500, Bethany Jamison wrote:
> [Impact]
> 
> sh: push-switch: Reorder cleanup operations to avoid use-after-free bug
> 
> The original code puts flush_work() before timer_shutdown_sync()
> in switch_drv_remove(). Although we use flush_work() to stop
> the worker, it could be rescheduled in switch_timer(). As a result,
> a use-after-free bug can occur. The details are shown below:
> 
>       (cpu 0)                    |      (cpu 1)
> switch_drv_remove()              |
>  flush_work()                    |
>   ...                            |  switch_timer // timer
>                                  |   schedule_work(&psw->work)
>  timer_shutdown_sync()           |
>  ...                             |  switch_work_handler // worker
>  kfree(psw) // free              |
>                                  |   psw->state = 0 // use
> 
> This patch puts timer_shutdown_sync() before flush_work() to
> mitigate the bugs. As a result, the worker and timer will be
> stopped safely before the deallocate operations.
> 
> [Fix]
> 
> Noble:	not affected
> Jammy:	Backported - context conflict with neighboring line
> Focal:	Jammy patch applied cleanly
> Bionic:	fix sent to esm ML
> Xenial:	fix sent to esm ML
> Trusty: not going to be fixed by us
> 
> [Test Case]
> 
> Compile and boot tested
> 
> [Where problems could occur]
> 
> This fix affects those who use the push-switch framework, an issue
> with this fix would be visible to the user via unpredicted system 
> behavior or a system crash.
> 
> Duoming Zhou (1):
>   sh: push-switch: Reorder cleanup operations to avoid use-after-free
>     bug
> 
>  arch/sh/drivers/push-switch.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> -- 
> 2.34.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Manuel Diewald <manuel.diewald@canonical.com>
Noah Wager July 9, 2024, 2:22 a.m. UTC | #2
Acked-by: Noah Wager <noah.wager@canonical.com>

On Mon, Jul 08, 2024 at 10:37:59AM -0500, Bethany Jamison wrote:
> [Impact]
> 
> sh: push-switch: Reorder cleanup operations to avoid use-after-free bug
> 
> The original code puts flush_work() before timer_shutdown_sync()
> in switch_drv_remove(). Although we use flush_work() to stop
> the worker, it could be rescheduled in switch_timer(). As a result,
> a use-after-free bug can occur. The details are shown below:
> 
>       (cpu 0)                    |      (cpu 1)
> switch_drv_remove()              |
>  flush_work()                    |
>   ...                            |  switch_timer // timer
>                                  |   schedule_work(&psw->work)
>  timer_shutdown_sync()           |
>  ...                             |  switch_work_handler // worker
>  kfree(psw) // free              |
>                                  |   psw->state = 0 // use
> 
> This patch puts timer_shutdown_sync() before flush_work() to
> mitigate the bugs. As a result, the worker and timer will be
> stopped safely before the deallocate operations.
> 
> [Fix]
> 
> Noble:	not affected
> Jammy:	Backported - context conflict with neighboring line
> Focal:	Jammy patch applied cleanly
> Bionic:	fix sent to esm ML
> Xenial:	fix sent to esm ML
> Trusty: not going to be fixed by us
> 
> [Test Case]
> 
> Compile and boot tested
> 
> [Where problems could occur]
> 
> This fix affects those who use the push-switch framework, an issue
> with this fix would be visible to the user via unpredicted system 
> behavior or a system crash.
> 
> Duoming Zhou (1):
>   sh: push-switch: Reorder cleanup operations to avoid use-after-free
>     bug
> 
>  arch/sh/drivers/push-switch.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> -- 
> 2.34.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Stefan Bader July 19, 2024, 8:48 a.m. UTC | #3
On 08.07.24 17:37, Bethany Jamison wrote:
> [Impact]
> 
> sh: push-switch: Reorder cleanup operations to avoid use-after-free bug
> 
> The original code puts flush_work() before timer_shutdown_sync()
> in switch_drv_remove(). Although we use flush_work() to stop
> the worker, it could be rescheduled in switch_timer(). As a result,
> a use-after-free bug can occur. The details are shown below:
> 
>        (cpu 0)                    |      (cpu 1)
> switch_drv_remove()              |
>   flush_work()                    |
>    ...                            |  switch_timer // timer
>                                   |   schedule_work(&psw->work)
>   timer_shutdown_sync()           |
>   ...                             |  switch_work_handler // worker
>   kfree(psw) // free              |
>                                   |   psw->state = 0 // use
> 
> This patch puts timer_shutdown_sync() before flush_work() to
> mitigate the bugs. As a result, the worker and timer will be
> stopped safely before the deallocate operations.
> 
> [Fix]
> 
> Noble:	not affected
> Jammy:	Backported - context conflict with neighboring line
> Focal:	Jammy patch applied cleanly
> Bionic:	fix sent to esm ML
> Xenial:	fix sent to esm ML
> Trusty: not going to be fixed by us
> 
> [Test Case]
> 
> Compile and boot tested
> 
> [Where problems could occur]
> 
> This fix affects those who use the push-switch framework, an issue
> with this fix would be visible to the user via unpredicted system
> behavior or a system crash.
> 
> Duoming Zhou (1):
>    sh: push-switch: Reorder cleanup operations to avoid use-after-free
>      bug
> 
>   arch/sh/drivers/push-switch.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 

Applied to jammy,focal:linux/master-next. Thanks.

-Stefan