| Message ID | 20230417180806.1195248-1-john.cabaj@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2023-1859 | expand |
On 17.04.23 20:08, John Cabaj wrote: > [Impact] > * A use-after-free vulnerability could exist in xen/9pfs, whereupon after removal of a xen_9pfs device, an attempt to service a response could access a struct that has been freed. > * Perform requisite clean-up upon removal so further requests cannot be serviced. > > [Fix] > * Clean cherry-picks for all affected kernels > > [Test Case] > * Compile tested > * Boot tested > > [Potential regression] > * Low risk. Potentially could take longer to remove xen_9pfs device as cancel waits for work to finish. > > Zheng Wang (1): > 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race > condition > > net/9p/trans_xen.c | 4 ++++ > 1 file changed, 4 insertions(+) > Except for focal:linux-oem-5.14. This kernel is now EOL. Users get migrated to focal:linux-hwe-5.15. Acked-by: Stefan Bader <stefan.bader@canonical.com>
John Cabaj kirjoitti 17.4.2023 klo 21.08: > [Impact] > * A use-after-free vulnerability could exist in xen/9pfs, whereupon after removal of a xen_9pfs device, an attempt to service a response could access a struct that has been freed. > * Perform requisite clean-up upon removal so further requests cannot be serviced. > > [Fix] > * Clean cherry-picks for all affected kernels > > [Test Case] > * Compile tested > * Boot tested > > [Potential regression] > * Low risk. Potentially could take longer to remove xen_9pfs device as cancel waits for work to finish. > > Zheng Wang (1): > 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race > condition > > net/9p/trans_xen.c | 4 ++++ > 1 file changed, 4 insertions(+) > applied to current oem kernels, thanks
Timo Aaltonen kirjoitti 18.4.2023 klo 10.33: > John Cabaj kirjoitti 17.4.2023 klo 21.08: >> [Impact] >> * A use-after-free vulnerability could exist in xen/9pfs, whereupon >> after removal of a xen_9pfs device, an attempt to service a response >> could access a struct that has been freed. >> * Perform requisite clean-up upon removal so further requests cannot >> be serviced. >> >> [Fix] >> * Clean cherry-picks for all affected kernels >> >> [Test Case] >> * Compile tested >> * Boot tested >> >> [Potential regression] >> * Low risk. Potentially could take longer to remove xen_9pfs device as >> cancel waits for work to finish. >> >> Zheng Wang (1): >> 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race >> condition >> >> net/9p/trans_xen.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> > > applied to current oem kernels, thanks > Actually, you're missing the CVE entry from the commit, so it doesn't show right in the changelog after cranky close.
On 4/17/23 12:08 PM, John Cabaj wrote: > [Impact] > * A use-after-free vulnerability could exist in xen/9pfs, whereupon after removal of a xen_9pfs device, an attempt to service a response could access a struct that has been freed. > * Perform requisite clean-up upon removal so further requests cannot be serviced. > > [Fix] > * Clean cherry-picks for all affected kernels > > [Test Case] > * Compile tested > * Boot tested > > [Potential regression] > * Low risk. Potentially could take longer to remove xen_9pfs device as cancel waits for work to finish. > > Zheng Wang (1): > 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race > condition > > net/9p/trans_xen.c | 4 ++++ > 1 file changed, 4 insertions(+) > You are missing the CVE notation in the patch.
[Impact] * A use-after-free vulnerability could exist in xen/9pfs, whereupon after removal of a xen_9pfs device, an attempt to service a response could access a struct that has been freed. * Perform requisite clean-up upon removal so further requests cannot be serviced. [Fix] * Clean cherry-picks for all affected kernels [Test Case] * Compile tested * Boot tested [Potential regression] * Low risk. Potentially could take longer to remove xen_9pfs device as cancel waits for work to finish. Zheng Wang (1): 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition net/9p/trans_xen.c | 4 ++++ 1 file changed, 4 insertions(+)