ACK: [SRU][F/J/N][PATCH v2 0/1] CVE-2024-56651
Stewart Hore
stewart.hore at canonical.com
Thu Feb 27 07:44:13 UTC 2025
On Thu, Feb 20, 2025 at 08:37:46AM +0100, Massimiliano Pellizzer wrote:
> [Impact]
>
> can: hi311x: hi3110_can_ist(): fix potential use-after-free
>
> The commit a22bd630cfff ("can: hi311x: do not report txerr and rxerr
> during bus-off") removed the reporting of rxerr and txerr even in case
> of correct operation (i. e. not bus-off).
>
> The error count information added to the CAN frame after netif_rx() is
> a potential use after free, since there is no guarantee that the skb
> is in the same state. It might be freed or reused.
>
> Fix the issue by postponing the netif_rx() call in case of txerr and
> rxerr reporting.
>
> [Fix]
>
> Oracular: Fixed via upstream stable updates (LP: #2096827)
> Noble: Cherry picked from mainline
> Jammy: Backported from mainline
> Focal: Applied Jammy patch
>
> [Test case]
>
> Compile tested only.
>
> [Where problems could occur]
>
> A regression here is unlikely due to the very limited scope of the
> patch.
>
> [Changes between v1 and v2]
>
> For focal and jammy: used netif_rx_ni() because of missing commit:
> - baebdf48c3600 net: dev: Makes sure netif_rx() can be invoked in any context
>
> Dario Binacchi (1):
> can: hi311x: hi3110_can_ist(): fix potential use-after-free
>
> drivers/net/can/spi/hi311x.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> --
> 2.43.0
Acked-by: Stewart Hore <stewart.hore at canonical.com>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list