ACK: [SRU][F 0/16][J 0/1][PATCH v3] CVE-2024-35887
Magali Lemes
magali.lemes at canonical.com
Wed Dec 4 21:15:44 UTC 2024
On 29/11/2024 14:00, Massimiliano Pellizzer wrote:
> [Impact]
>
> ax25: fix use-after-free bugs caused by ax25_ds_del_timer
>
> When the ax25 device is detaching, the ax25_dev_device_down()
> calls ax25_ds_del_timer() to cleanup the slave_timer. When
> the timer handler is running, the ax25_ds_del_timer() that
> calls del_timer() in it will return directly. As a result,
> the use-after-free bugs could happen.
>
> In order to mitigate bugs, when the device is detaching, use
> timer_shutdown_sync() to stop the timer.
>
> [Fix]
>
> Noble: Fixed
> Jammy: Cherry picked from mainline
>
> Focal:
> - Clean cherry pick of 8fd8ad5c5dfc (mainline): cherry picked since
> it provides the definition of lockdep_assert_preemption_enabled()
> - Clean cherry pick of c725dafc95f1 (mainline): cherry picked since it
> is a prereq for 8553b5f2774a
> - Backported the patchset [1], since it provides timer_shutdown_sync(),
> which is necessary to apply the fix commit
> - Backported b0b0aa5d858d from mainline
> - Cherry picked 80b55772d41d from mainline
> - Cherry picked 73737a5833ac from mainline
> - Backported 6e1fc2591f11 from mainline
> - Backported 9a5a30568697 from mainline
> - Backported 82ed6f7ef58f from mainline
> - 14f043f1340b already backported via stable updates
> - 168f6b6ffbee already backported via stable updates
> - 9b13df3fb64e already backported via stable updates
> - Cherry picked bb663f0f3c39 from mainline
> - Backported 87bdd932e858 from mainline
> - Cherry picked d02e382cef06 from mainline
> - Backported 8553b5f2774a from mainline
> - Cherry picked 0cc04e80458a from mainline
> - Cherry picked f571faf6e443 from mainline
> - Backported a31323bef2b6 from mainline
> - Cherry pick of the fix commit from mainline.
>
> Bionic: Work in progress
> Xenial: Work in progress
>
> [Test Case]
>
> Compile and boot tested.
> Since the patch set significantly modifies the "timers" subsystem I also
> used kselftest with target "timers" to make sure the patch set does not
> introduce any regression.
>
> [Where problems could occur]
>
> The fix affects the net/ax25, and (for focal) the core timer subsystem.
> In Jammy a regression is not likely.
> In Focal, since the core timer subsystem has been modified
> significantly, the entire kernel could be impacted. This could lead to
> widespread timer failures, causing system instability and kernel
> crashes.
>
> [Note]
>
> The fix for the CVE uses the function timer_shutdown_sync(), which is
> safe to use in pretty much every context.
> This function is not implemented in Focal. The closest function to
> timer_shutdown_sync(), in Focal, is timer_delete_sync() which has strict
> requirements:
>
> Synchronization rules: Callers must prevent restarting of the timer,
> otherwise this function is meaningless. It must not be called from
> interrupt contexts unless the timer is an irqsafe one. The caller must
> not hold locks which would prevent completion of the timer's callback
> function. The timer's handler must not call add_timer_on(). Upon exit
> the timer is not queued and the handler is not running on any CPU.
>
> For !irqsafe timers, the caller must not hold locks that are held in
> interrupt context.
>
> and does not implement the shutdown logic implemented by
> timer_shutdown_sync().
> For these reasons I decided to backport also patches related to timers.
>
> [Changes between v1 and v2]
>
> Removed the following superflows change in [F][PATCH 4/9]:
>
> - WARN_ON(in_irq() && !(timer->flags & TIMER_IRQSAFE));
> + WARN_ON(hardirq_count() && !(timer->flags & TIMER_IRQSAFE));
>
> as in_irq() is defined as:
>
> #define in_irq() (hardirq_count())
>
> [Changes betweeen v2 and v3]
>
> Backported more prereqs from [1].
>
> [1] https://lore.kernel.org/all/20221123201625.314230270@linutronix.de/T/#u
>
> Ahmed S. Darwish (1):
> lockdep: Add preemption enabled/disabled assertion APIs
>
> Duoming Zhou (1):
> ax25: fix use-after-free bugs caused by ax25_ds_del_timer
>
> Sebastian Andrzej Siewior (1):
> timers: Don't block on ->expiry_lock for TIMER_IRQSAFE timers
>
> Steven Rostedt (Google) (4):
> ARM: spear: Do not use timer namespace for timer_shutdown() function
> clocksource/drivers/arm_arch_timer: Do not use timer namespace for
> timer_shutdown() function
> clocksource/drivers/sp804: Do not use timer namespace for
> timer_shutdown() function
> timers: Update the documentation to reflect on the new
> timer_shutdown() API
>
> Thomas Gleixner (9):
> Documentation: Remove bogus claim about del_timer_sync()
> timers: Get rid of del_singleshot_timer_sync()
> timers: Replace BUG_ON()s
> timers: Rename del_timer() to timer_delete()
> Documentation: Replace del_timer/del_timer_sync()
> timers: Silently ignore timers with a NULL function
> timers: Split [try_to_]del_timer[_sync]() to prepare for shutdown mode
> timers: Add shutdown mechanism to the internal functions
> timers: Provide timer_shutdown[_sync]()
>
> .../RCU/Design/Requirements/Requirements.html | 2 +-
> Documentation/core-api/local_ops.rst | 2 +-
> Documentation/kernel-hacking/locking.rst | 18 +-
> Documentation/timers/hrtimers.rst | 2 +-
> .../it_IT/kernel-hacking/locking.rst | 14 +-
> arch/arm/mach-spear/time.c | 8 +-
> drivers/char/tpm/tpm-dev-common.c | 4 +-
> drivers/clocksource/arm_arch_timer.c | 12 +-
> drivers/clocksource/timer-sp804.c | 6 +-
> drivers/misc/sgi-xp/xpc_partition.c | 2 +-
> drivers/staging/wlan-ng/hfa384x_usb.c | 4 +-
> drivers/staging/wlan-ng/prism2usb.c | 6 +-
> include/linux/lockdep.h | 19 ++
> include/linux/timer.h | 17 +-
> kernel/time/timer.c | 322 ++++++++++++++----
> lib/Kconfig.debug | 1 +
> net/ax25/ax25_dev.c | 2 +-
> net/sunrpc/xprt.c | 2 +-
> 18 files changed, 343 insertions(+), 100 deletions(-)
>
Acked-by: Magali Lemes <magali.lemes at canonical.com>
More information about the kernel-team
mailing list