cve/published/2024/CVE-2024-50051.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50051: spi: mpc52xx: Add cancel_work_sync before module remove

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 spi: mpc52xx: Add cancel_work_sync before module remove

 If we remove the module which will call mpc52xx_spi_remove
 it will free 'ms' through spi_unregister_controller.
 while the work ms->work will be used. The sequence of operations
 that may lead to a UAF bug.

 Fix it by ensuring that the work is canceled before proceeding with
 the cleanup in mpc52xx_spi_remove.

 The Linux kernel CVE team has assigned CVE-2024-50051 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.1 with commit ca632f556697d45d67ed5cada7cedf3ddfe0db4b and fixed in 5.4.287 with commit d0cde3911cf24e1bcdd4caa1d1b9ef57589db5a1
 	Issue introduced in 3.1 with commit ca632f556697d45d67ed5cada7cedf3ddfe0db4b and fixed in 5.10.231 with commit e0c6ce8424095c2da32a063d3fc027494c689817
 	Issue introduced in 3.1 with commit ca632f556697d45d67ed5cada7cedf3ddfe0db4b and fixed in 5.15.174 with commit cd5106c77d6d6828aa82449f01f4eb436d602a21
 	Issue introduced in 3.1 with commit ca632f556697d45d67ed5cada7cedf3ddfe0db4b and fixed in 6.1.120 with commit 373d55a47dc662e5e30d12ad5d334312f757c1f1
 	Issue introduced in 3.1 with commit ca632f556697d45d67ed5cada7cedf3ddfe0db4b and fixed in 6.6.66 with commit f65d85bc1ffd8a2c194bb2cd65e35ed3648ddd59
 	Issue introduced in 3.1 with commit ca632f556697d45d67ed5cada7cedf3ddfe0db4b and fixed in 6.12.5 with commit 90b72189de2cddacb26250579da0510b29a8b82b
 	Issue introduced in 3.1 with commit ca632f556697d45d67ed5cada7cedf3ddfe0db4b and fixed in 6.13 with commit 984836621aad98802d92c4a3047114cf518074c8

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50051
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/spi/spi-mpc52xx.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d0cde3911cf24e1bcdd4caa1d1b9ef57589db5a1
 	https://git.kernel.org/stable/c/e0c6ce8424095c2da32a063d3fc027494c689817
 	https://git.kernel.org/stable/c/cd5106c77d6d6828aa82449f01f4eb436d602a21
 	https://git.kernel.org/stable/c/373d55a47dc662e5e30d12ad5d334312f757c1f1
 	https://git.kernel.org/stable/c/f65d85bc1ffd8a2c194bb2cd65e35ed3648ddd59
 	https://git.kernel.org/stable/c/90b72189de2cddacb26250579da0510b29a8b82b
 	https://git.kernel.org/stable/c/984836621aad98802d92c4a3047114cf518074c8
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50051: spi: mpc52xx: Add cancel_work_sync before module remove

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	spi: mpc52xx: Add cancel_work_sync before module remove

	If we remove the module which will call mpc52xx_spi_remove
	it will free 'ms' through spi_unregister_controller.
	while the work ms->work will be used. The sequence of operations
	that may lead to a UAF bug.

	Fix it by ensuring that the work is canceled before proceeding with
	the cleanup in mpc52xx_spi_remove.

	The Linux kernel CVE team has assigned CVE-2024-50051 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.1 with commit ca632f556697d45d67ed5cada7cedf3ddfe0db4b and fixed in 5.4.287 with commit d0cde3911cf24e1bcdd4caa1d1b9ef57589db5a1
	Issue introduced in 3.1 with commit ca632f556697d45d67ed5cada7cedf3ddfe0db4b and fixed in 5.10.231 with commit e0c6ce8424095c2da32a063d3fc027494c689817
	Issue introduced in 3.1 with commit ca632f556697d45d67ed5cada7cedf3ddfe0db4b and fixed in 5.15.174 with commit cd5106c77d6d6828aa82449f01f4eb436d602a21
	Issue introduced in 3.1 with commit ca632f556697d45d67ed5cada7cedf3ddfe0db4b and fixed in 6.1.120 with commit 373d55a47dc662e5e30d12ad5d334312f757c1f1
	Issue introduced in 3.1 with commit ca632f556697d45d67ed5cada7cedf3ddfe0db4b and fixed in 6.6.66 with commit f65d85bc1ffd8a2c194bb2cd65e35ed3648ddd59
	Issue introduced in 3.1 with commit ca632f556697d45d67ed5cada7cedf3ddfe0db4b and fixed in 6.12.5 with commit 90b72189de2cddacb26250579da0510b29a8b82b
	Issue introduced in 3.1 with commit ca632f556697d45d67ed5cada7cedf3ddfe0db4b and fixed in 6.13 with commit 984836621aad98802d92c4a3047114cf518074c8

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50051
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/spi/spi-mpc52xx.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d0cde3911cf24e1bcdd4caa1d1b9ef57589db5a1
	https://git.kernel.org/stable/c/e0c6ce8424095c2da32a063d3fc027494c689817
	https://git.kernel.org/stable/c/cd5106c77d6d6828aa82449f01f4eb436d602a21
	https://git.kernel.org/stable/c/373d55a47dc662e5e30d12ad5d334312f757c1f1
	https://git.kernel.org/stable/c/f65d85bc1ffd8a2c194bb2cd65e35ed3648ddd59
	https://git.kernel.org/stable/c/90b72189de2cddacb26250579da0510b29a8b82b
	https://git.kernel.org/stable/c/984836621aad98802d92c4a3047114cf518074c8