[SRU][Jammy][PATCH 00/11] CVE-2023-6039

Yuxuan Luo yuxuan.luo at canonical.com
Fri Nov 17 23:52:51 UTC 2023 

[Impact]
A use-after-free flaw was found in lan78xx_disconnect in
drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx
in the Linux Kernel. This flaw allows a local attacker to crash the
system when the LAN78XX USB device detaches.

[Backport]
The fix commit has a conflict at the netif_napi_del(&dev->napi); line,
which can be ignored since this API (introduced at ec4c7e12396b (“lan78xx:
Introduce NAPI polling support”)) is irrelevant to this fix.

It also depends on a kernel clock function, timer_shutdown_sync(). Since
this function might be used widely in the future given it is under
include/linux directory, backporting the new kernel function is
preferred over expanding it.

Additionally, there were some namespace conflicts when building armhf
and arm64 kernels, three commits authored by Steven Rostedt are needed
to address the issue.

[Test]
Compile and boot tested.

[Potential Regression]
It is not an easy task to assess the regression potential as 9 more
out-of-scope patches are introduced, proceed with caution.

Duoming Zhou (1):
  net: usb: lan78xx: reorder cleanup operations to avoid UAF bugs

Steven Rostedt (Google) (3):
  clocksource/drivers/arm_arch_timer: Do not use timer namespace for
    timer_shutdown() function
  clocksource/drivers/sp804: Do not use timer namespace for
    timer_shutdown() function
  ARM: spear: Do not use timer namespace for timer_shutdown() function

Thomas Gleixner (7):
  timers: Use del_timer_sync() even on UP
  timers: Update kernel-doc for various functions
  timers: Rename del_timer_sync() to timer_delete_sync()
  timers: Rename del_timer() to timer_delete()
  timers: Split [try_to_]del_timer[_sync]() to prepare for shutdown mode
  timers: Add shutdown mechanism to the internal functions
  timers: Provide timer_shutdown[_sync]()

 arch/arm/mach-spear/time.c           |   8 +-
 drivers/clocksource/arm_arch_timer.c |  12 +-
 drivers/clocksource/timer-sp804.c    |   6 +-
 drivers/net/usb/lan78xx.c            |   7 +-
 include/linux/timer.h                |  35 ++-
 kernel/time/timer.c                  | 365 ++++++++++++++++++++-------
 6 files changed, 318 insertions(+), 115 deletions(-)

-- 
2.34.1

More information about the kernel-team mailing list