diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-03-29 10:14:17 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-03-29 10:14:17 +0100 |
| commit | faa01572e2aa4c58a4d1500eb2425e64c2981671 (patch) | |
| tree | 6b473c2476f0e3dcbdea25a8a594f739066b7ab9 | |
| parent | b8ed1721d78bdfb2ac119ef9a57c391fe6a60af8 (diff) | |
| download | vulns-faa01572e2aa4c58a4d1500eb2425e64c2981671.tar.gz | |
assign CVE-2023-52629
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | cve/published/2023/CVE-2023-52629 (renamed from cve/reserved/2023/CVE-2023-52629) | 0 | ||||
| -rw-r--r-- | cve/published/2023/CVE-2023-52629.json | 88 | ||||
| -rw-r--r-- | cve/published/2023/CVE-2023-52629.mbox | 81 | ||||
| -rw-r--r-- | cve/published/2023/CVE-2023-52629.sha1 | 1 |
4 files changed, 170 insertions, 0 deletions
diff --git a/cve/reserved/2023/CVE-2023-52629 b/cve/published/2023/CVE-2023-52629 index e69de29b..e69de29b 100644 --- a/cve/reserved/2023/CVE-2023-52629 +++ b/cve/published/2023/CVE-2023-52629 diff --git a/cve/published/2023/CVE-2023-52629.json b/cve/published/2023/CVE-2023-52629.json new file mode 100644 index 00000000..3bbdadba --- /dev/null +++ b/cve/published/2023/CVE-2023-52629.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\n\nThe original code puts flush_work() before timer_shutdown_sync()\nin switch_drv_remove(). Although we use flush_work() to stop\nthe worker, it could be rescheduled in switch_timer(). As a result,\na use-after-free bug can occur. The details are shown below:\n\n (cpu 0) | (cpu 1)\nswitch_drv_remove() |\n flush_work() |\n ... | switch_timer // timer\n | schedule_work(&psw->work)\n timer_shutdown_sync() |\n ... | switch_work_handler // worker\n kfree(psw) // free |\n | psw->state = 0 // use\n\nThis patch puts timer_shutdown_sync() before flush_work() to\nmitigate the bugs. As a result, the worker and timer will be\nstopped safely before the deallocate operations." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "9f5e8eee5cfe", + "lessThan": "610dbd8ac271", + "status": "affected", + "versionType": "git" + }, + { + "version": "9f5e8eee5cfe", + "lessThan": "246f80a0b17f", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2.6.20", + "status": "affected" + }, + { + "version": "0", + "lessThan": "2.6.20", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.5.4", + "lessThanOrEqual": "6.5.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/610dbd8ac271aa36080aac50b928d700ee3fe4de" + }, + { + "url": "https://git.kernel.org/stable/c/246f80a0b17f8f582b2c0996db02998239057c65" + } + ], + "title": "sh: push-switch: Reorder cleanup operations to avoid use-after-free bug", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2023-52629", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2023/CVE-2023-52629.mbox b/cve/published/2023/CVE-2023-52629.mbox new file mode 100644 index 00000000..1512e749 --- /dev/null +++ b/cve/published/2023/CVE-2023-52629.mbox @@ -0,0 +1,81 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2023-52629: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug +Message-Id: <2024032949-CVE-2023-52629-a508@gregkh> +Content-Length: 2487 +Lines: 64 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2552; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=qG2zCY46Uz7u/IJy2GTXiFsICC6dQw0wnp96YS8YgDg=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGlsbb6HfzwUmf3yv0nzpnuSwZ9dP19xd76bya2X6fVdX + HSziHdzRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEwkWodhfpHT66Xy3RGWzj4t + FTNC+Jcwem8IY1jQmNDvbyRf+MtKZlHM/0mvGPdwrtcBAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +sh: push-switch: Reorder cleanup operations to avoid use-after-free bug + +The original code puts flush_work() before timer_shutdown_sync() +in switch_drv_remove(). Although we use flush_work() to stop +the worker, it could be rescheduled in switch_timer(). As a result, +a use-after-free bug can occur. The details are shown below: + + (cpu 0) | (cpu 1) +switch_drv_remove() | + flush_work() | + ... | switch_timer // timer + | schedule_work(&psw->work) + timer_shutdown_sync() | + ... | switch_work_handler // worker + kfree(psw) // free | + | psw->state = 0 // use + +This patch puts timer_shutdown_sync() before flush_work() to +mitigate the bugs. As a result, the worker and timer will be +stopped safely before the deallocate operations. + +The Linux kernel CVE team has assigned CVE-2023-52629 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 2.6.20 with commit 9f5e8eee5cfe and fixed in 6.5.4 with commit 610dbd8ac271 + Issue introduced in 2.6.20 with commit 9f5e8eee5cfe and fixed in 6.6 with commit 246f80a0b17f + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2023-52629 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + arch/sh/drivers/push-switch.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/610dbd8ac271aa36080aac50b928d700ee3fe4de + https://git.kernel.org/stable/c/246f80a0b17f8f582b2c0996db02998239057c65 diff --git a/cve/published/2023/CVE-2023-52629.sha1 b/cve/published/2023/CVE-2023-52629.sha1 new file mode 100644 index 00000000..8ec7f53e --- /dev/null +++ b/cve/published/2023/CVE-2023-52629.sha1 @@ -0,0 +1 @@ +246f80a0b17f8f582b2c0996db02998239057c65 |