ghsa-384v-9gx5-rmx4
Vulnerability from github
Published
2024-03-29 12:30
Modified
2024-08-01 15:31
Severity ?
8.4 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

sh: push-switch: Reorder cleanup operations to avoid use-after-free bug

The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below:

  (cpu 0)                    |      (cpu 1)

switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use

This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-52629"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-29T10:15:09Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\n\nThe original code puts flush_work() before timer_shutdown_sync()\nin switch_drv_remove(). Although we use flush_work() to stop\nthe worker, it could be rescheduled in switch_timer(). As a result,\na use-after-free bug can occur. The details are shown below:\n\n      (cpu 0)                    |      (cpu 1)\nswitch_drv_remove()              |\n flush_work()                    |\n  ...                            |  switch_timer // timer\n                                 |   schedule_work(\u0026psw-\u003ework)\n timer_shutdown_sync()           |\n ...                             |  switch_work_handler // worker\n kfree(psw) // free              |\n                                 |   psw-\u003estate = 0 // use\n\nThis patch puts timer_shutdown_sync() before flush_work() to\nmitigate the bugs. As a result, the worker and timer will be\nstopped safely before the deallocate operations.",
  "id": "GHSA-384v-9gx5-rmx4",
  "modified": "2024-08-01T15:31:35Z",
  "published": "2024-03-29T12:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52629"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/246f80a0b17f8f582b2c0996db02998239057c65"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/610dbd8ac271aa36080aac50b928d700ee3fe4de"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.