lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2024101130-underfoot-hungrily-f432@gregkh>
Date: Fri, 11 Oct 2024 15:34:18 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Jean Delvare <jdelvare@...e.de>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: CVE-2024-38630: watchdog: cpu5wdt.c: Fix use-after-free bug
 caused by cpu5wdt_trigger

On Fri, Oct 11, 2024 at 12:16:40PM +0200, Jean Delvare wrote:
> Hi all,
> 
> On Fri, 2024-06-21 at 12:19 +0200, Greg Kroah-Hartman wrote:
> > Description
> > ===========
> > 
> > In the Linux kernel, the following vulnerability has been resolved:
> > 
> > watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger
> > 
> > When the cpu5wdt module is removing, the origin code uses del_timer() to
> > de-activate the timer. If the timer handler is running, del_timer() could
> > not stop it and will return directly. If the port region is released by
> > release_region() and then the timer handler cpu5wdt_trigger() calls outb()
> > to write into the region that is released, the use-after-free bug will
> > happen.
> > 
> > Change del_timer() to timer_shutdown_sync() in order that the timer handler
> > could be finished before the port region is released.
> > 
> > The Linux kernel CVE team has assigned CVE-2024-38630 to this issue.
> > 
> > 
> > Affected and fixed versions
> > ===========================
> > 
> >         Issue introduced in 3.8 with commit e09d9c3e9f85 and fixed in 6.6.33 with commit 9b1c063ffc07
> >         Issue introduced in 3.8 with commit e09d9c3e9f85 and fixed in 6.9.4 with commit f19686d61650
> >         Issue introduced in 3.8 with commit e09d9c3e9f85 and fixed in 6.10-rc1 with commit 573601521277
> 
> For the record, this is incorrect. The Fixes tag is misleading. The
> commit being "fixed" was adding a missing del_timer() call, so the
> situation was even worst before that, as the race window on module
> removal was even larger.
> 
> The bug is present since kernel v2.5.61 when the cpu5wdt driver was
> added to the kernel tree.

So should I change the "vulnerable" commit to be the root of git, commit
1da177e4c3f4 ("Linux-2.6.12-rc2"), instead?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ