Re: CVE-2024-38630: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger

From: Greg Kroah-Hartman
Date: Sat Oct 12 2024 - 09:04:36 EST

Next message: Maciej W. Rozycki: "Re: [PATCH] mips: asm: fix warning when disabling MIPS_FP_SUPPORT"
Previous message: Simon Horman: "Re: [PATCHv6 net-next 2/7] net: ibm: emac: remove custom init/exit functions"
In reply to: Jean Delvare: "Re: CVE-2024-38630: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Oct 11, 2024 at 05:27:23PM +0200, Jean Delvare wrote:
> Hi Greg,
>
> On Fri, 11 Oct 2024 15:34:18 +0200, Greg Kroah-Hartman wrote:
> > On Fri, Oct 11, 2024 at 12:16:40PM +0200, Jean Delvare wrote:
> > > On Fri, 2024-06-21 at 12:19 +0200, Greg Kroah-Hartman wrote:
> > > > Description
> > > > ===========
> > > >
> > > > In the Linux kernel, the following vulnerability has been resolved:
> > > >
> > > > watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger
> > > >
> > > > When the cpu5wdt module is removing, the origin code uses del_timer() to
> > > > de-activate the timer. If the timer handler is running, del_timer() could
> > > > not stop it and will return directly. If the port region is released by
> > > > release_region() and then the timer handler cpu5wdt_trigger() calls outb()
> > > > to write into the region that is released, the use-after-free bug will
> > > > happen.
> > > >
> > > > Change del_timer() to timer_shutdown_sync() in order that the timer handler
> > > > could be finished before the port region is released.
> > > >
> > > > The Linux kernel CVE team has assigned CVE-2024-38630 to this issue.
> > > >
> > > >
> > > > Affected and fixed versions
> > > > ===========================
> > > >
> > > >         Issue introduced in 3.8 with commit e09d9c3e9f85 and fixed in 6.6.33 with commit 9b1c063ffc07
> > > >         Issue introduced in 3.8 with commit e09d9c3e9f85 and fixed in 6.9.4 with commit f19686d61650
> > > >         Issue introduced in 3.8 with commit e09d9c3e9f85 and fixed in 6.10-rc1 with commit 573601521277
> > >
> > > For the record, this is incorrect. The Fixes tag is misleading. The
> > > commit being "fixed" was adding a missing del_timer() call, so the
> > > situation was even worst before that, as the race window on module
> > > removal was even larger.
> > >
> > > The bug is present since kernel v2.5.61 when the cpu5wdt driver was
> > > added to the kernel tree.
> >
> > So should I change the "vulnerable" commit to be the root of git, commit
> > 1da177e4c3f4 ("Linux-2.6.12-rc2"), instead?
>
> Yes.

Great, now done, and the json entry on cve.org is updated.

thanks for the review.

greg k-h

Next message: Maciej W. Rozycki: "Re: [PATCH] mips: asm: fix warning when disabling MIPS_FP_SUPPORT"
Previous message: Simon Horman: "Re: [PATCHv6 net-next 2/7] net: ibm: emac: remove custom init/exit functions"
In reply to: Jean Delvare: "Re: CVE-2024-38630: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]