[SRU][F/J][PATCH 0/1] CVE-2024-38630
Koichiro Den
koichiro.den at canonical.com
Tue Sep 10 01:44:03 UTC 2024
[Impact]
watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger
When the cpu5wdt module is removing, the origin code uses del_timer() to
de-activate the timer. If the timer handler is running, del_timer() could
not stop it and will return directly. If the port region is released by
release_region() and then the timer handler cpu5wdt_trigger() calls outb()
to write into the region that is released, the use-after-free bug will
happen.
Change del_timer() to timer_shutdown_sync() in order that the timer handler
could be finished before the port region is released.
[Backport]
For Jammy, the fix commit was cleanly applied.
For Focal, I adjusted context due to lack of timer_shutdown_sync(),
which was introduced on upstream in the following patch series:
[patch V3 00/17] timers: Provide timer_shutdown[_sync]()
https://lore.kernel.org/all/20221123201306.823305113@linutronix.de/]
Even though part of it was pulled in via stable upstream. I did not
backport the rest here since it would introduce unnecessary changes.
[Fix]
Noble: fixed via stable (pending)
Jammy: Cleanly applied
Focal: Backport - adjusted contexts, see [Backport]
Bionic: fix sent to esm ML
Xenial: fix sent to esm ML
Trusty: won't fix
[Test case]
Compile and boot tested
[Where problems could occur]
This fix affects those who use SMA CPU5 watchdog card, an issue with
with this fix would lead to UAF access to PCI IO resource immediately
released on cpu5wdt module unload.
Duoming Zhou (1):
watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger
drivers/watchdog/cpu5wdt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
2.43.0
More information about the kernel-team
mailing list