| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2023-52638: can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock |
| |
| The following 3 locks would race against each other, causing the |
| deadlock situation in the Syzbot bug report: |
| |
| - j1939_socks_lock |
| - active_session_list_lock |
| - sk_session_queue_lock |
| |
| A reasonable fix is to change j1939_socks_lock to an rwlock, since in |
| the rare situations where a write lock is required for the linked list |
| that j1939_socks_lock is protecting, the code does not attempt to |
| acquire any more locks. This would break the circular lock dependency, |
| where, for example, the current thread already locks j1939_socks_lock |
| and attempts to acquire sk_session_queue_lock, and at the same time, |
| another thread attempts to acquire j1939_socks_lock while holding |
| sk_session_queue_lock. |
| |
| NOTE: This patch along does not fix the unregister_netdevice bug |
| reported by Syzbot; instead, it solves a deadlock situation to prepare |
| for one or more further patches to actually fix the Syzbot bug, which |
| appears to be a reference counting problem within the j1939 codebase. |
| |
| [mkl: remove unrelated newline change] |
| |
| The Linux kernel CVE team has assigned CVE-2023-52638 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 5.15.149 with commit 03358aba991668d3bb2c65b3c82aa32c36851170 |
| Fixed in 6.1.79 with commit aedda066d717a0b4335d7e0a00b2e3a61e40afcf |
| Fixed in 6.6.18 with commit 26dfe112ec2e95fe0099681f6aec33da13c2dd8e |
| Fixed in 6.7.6 with commit 559b6322f9480bff68cfa98d108991e945a4f284 |
| Fixed in 6.8 with commit 6cdedc18ba7b9dacc36466e27e3267d201948c8d |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2023-52638 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| net/can/j1939/j1939-priv.h |
| net/can/j1939/main.c |
| net/can/j1939/socket.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/03358aba991668d3bb2c65b3c82aa32c36851170 |
| https://git.kernel.org/stable/c/aedda066d717a0b4335d7e0a00b2e3a61e40afcf |
| https://git.kernel.org/stable/c/26dfe112ec2e95fe0099681f6aec33da13c2dd8e |
| https://git.kernel.org/stable/c/559b6322f9480bff68cfa98d108991e945a4f284 |
| https://git.kernel.org/stable/c/6cdedc18ba7b9dacc36466e27e3267d201948c8d |
