lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <efc8ab85e02b95ab4db09eb9142f62129a51f08c.camel@suse.de>
Date: Fri, 11 Oct 2024 12:16:40 +0200
From: Jean Delvare <jdelvare@...e.de>
To: cve@...nel.org, linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: Re: CVE-2024-38630: watchdog: cpu5wdt.c: Fix use-after-free bug
 caused by cpu5wdt_trigger

Hi all,

On Fri, 2024-06-21 at 12:19 +0200, Greg Kroah-Hartman wrote:
> Description
> ===========
> 
> In the Linux kernel, the following vulnerability has been resolved:
> 
> watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger
> 
> When the cpu5wdt module is removing, the origin code uses del_timer() to
> de-activate the timer. If the timer handler is running, del_timer() could
> not stop it and will return directly. If the port region is released by
> release_region() and then the timer handler cpu5wdt_trigger() calls outb()
> to write into the region that is released, the use-after-free bug will
> happen.
> 
> Change del_timer() to timer_shutdown_sync() in order that the timer handler
> could be finished before the port region is released.
> 
> The Linux kernel CVE team has assigned CVE-2024-38630 to this issue.
> 
> 
> Affected and fixed versions
> ===========================
> 
>         Issue introduced in 3.8 with commit e09d9c3e9f85 and fixed in 6.6.33 with commit 9b1c063ffc07
>         Issue introduced in 3.8 with commit e09d9c3e9f85 and fixed in 6.9.4 with commit f19686d61650
>         Issue introduced in 3.8 with commit e09d9c3e9f85 and fixed in 6.10-rc1 with commit 573601521277

For the record, this is incorrect. The Fixes tag is misleading. The
commit being "fixed" was adding a missing del_timer() call, so the
situation was even worst before that, as the race window on module
removal was even larger.

The bug is present since kernel v2.5.61 when the cpu5wdt driver was
added to the kernel tree.

Also note that the bug was fixed using timer_shutdown_sync(), which is
documented as only being needed when the timer can be rearmed by a
workqueue or similar scenario, which is not the case here. So I'm
reasonably certain that using del_timer_sync() would have been
sufficient.

-- 
Jean Delvare
SUSE L3 Support

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ