| Message ID | 20230418135826.1222385-1-john.cabaj@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2023-1859 | expand |
On 4/18/23 7:58 AM, John Cabaj wrote: > [Impact] > * A use-after-free vulnerability could exist in xen/9pfs, whereupon after removal of a xen_9pfs device, an attempt to service a response could access a struct that has been freed. > * Perform requisite clean-up upon removal so further requests cannot be serviced. > > [Fix] > * Clean cherry-picks for all affected kernels > > [Test Case] > * Compile tested > * Boot tested > > [Potential regression] > * Low risk. Potentially could take longer to remove xen_9pfs device as cancel waits for work to finish. > > -v2: > * Removing oem-5.14 and adding CVE # to patch > > Zheng Wang (1): > 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race > condition > > net/9p/trans_xen.c | 4 ++++ > 1 file changed, 4 insertions(+) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 23/04/18 08:58AM, John Cabaj wrote: > [Impact] > * A use-after-free vulnerability could exist in xen/9pfs, whereupon after removal of a xen_9pfs device, an attempt to service a response could access a struct that has been freed. > * Perform requisite clean-up upon removal so further requests cannot be serviced. > > [Fix] > * Clean cherry-picks for all affected kernels > > [Test Case] > * Compile tested > * Boot tested > > [Potential regression] > * Low risk. Potentially could take longer to remove xen_9pfs device as cancel waits for work to finish. > > -v2: > * Removing oem-5.14 and adding CVE # to patch > > Zheng Wang (1): > 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race > condition > > net/9p/trans_xen.c | 4 ++++ > 1 file changed, 4 insertions(+) > > -- > 2.34.1 Acked-by: Andrei Gherzan <andrei.gherzan@canonical.com>
John Cabaj kirjoitti 18.4.2023 klo 16.58: > [Impact] > * A use-after-free vulnerability could exist in xen/9pfs, whereupon after removal of a xen_9pfs device, an attempt to service a response could access a struct that has been freed. > * Perform requisite clean-up upon removal so further requests cannot be serviced. > > [Fix] > * Clean cherry-picks for all affected kernels > > [Test Case] > * Compile tested > * Boot tested > > [Potential regression] > * Low risk. Potentially could take longer to remove xen_9pfs device as cancel waits for work to finish. > > -v2: > * Removing oem-5.14 and adding CVE # to patch > > Zheng Wang (1): > 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race > condition > > net/9p/trans_xen.c | 4 ++++ > 1 file changed, 4 insertions(+) > this was essentially already applied to the oem kernels
On 18.04.23 15:58, John Cabaj wrote: > [Impact] > * A use-after-free vulnerability could exist in xen/9pfs, whereupon after removal of a xen_9pfs device, an attempt to service a response could access a struct that has been freed. > * Perform requisite clean-up upon removal so further requests cannot be serviced. > > [Fix] > * Clean cherry-picks for all affected kernels > > [Test Case] > * Compile tested > * Boot tested > > [Potential regression] > * Low risk. Potentially could take longer to remove xen_9pfs device as cancel waits for work to finish. > > -v2: > * Removing oem-5.14 and adding CVE # to patch > > Zheng Wang (1): > 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race > condition > > net/9p/trans_xen.c | 4 ++++ > 1 file changed, 4 insertions(+) > Applied to kinetic,jammy,focal,bionic:linux/master-next. Thanks. -Stefan
[Impact] * A use-after-free vulnerability could exist in xen/9pfs, whereupon after removal of a xen_9pfs device, an attempt to service a response could access a struct that has been freed. * Perform requisite clean-up upon removal so further requests cannot be serviced. [Fix] * Clean cherry-picks for all affected kernels [Test Case] * Compile tested * Boot tested [Potential regression] * Low risk. Potentially could take longer to remove xen_9pfs device as cancel waits for work to finish. -v2: * Removing oem-5.14 and adding CVE # to patch Zheng Wang (1): 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition net/9p/trans_xen.c | 4 ++++ 1 file changed, 4 insertions(+)