cve/published/2024/CVE-2024-38630.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-38630: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger

 When the cpu5wdt module is removing, the origin code uses del_timer() to
 de-activate the timer. If the timer handler is running, del_timer() could
 not stop it and will return directly. If the port region is released by
 release_region() and then the timer handler cpu5wdt_trigger() calls outb()
 to write into the region that is released, the use-after-free bug will
 happen.

 Change del_timer() to timer_shutdown_sync() in order that the timer handler
 could be finished before the port region is released.

 The Linux kernel CVE team has assigned CVE-2024-38630 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.33 with commit 9b1c063ffc075abf56f63e55d70b9778ff534314
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.9.4 with commit f19686d616500cd0d47b30cee82392b53f7f784a
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.10 with commit 573601521277119f2e2ba5f28ae6e87fc594f4d4

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-38630
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/watchdog/cpu5wdt.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9b1c063ffc075abf56f63e55d70b9778ff534314
 	https://git.kernel.org/stable/c/f19686d616500cd0d47b30cee82392b53f7f784a
 	https://git.kernel.org/stable/c/573601521277119f2e2ba5f28ae6e87fc594f4d4
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-38630: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger

	When the cpu5wdt module is removing, the origin code uses del_timer() to
	de-activate the timer. If the timer handler is running, del_timer() could
	not stop it and will return directly. If the port region is released by
	release_region() and then the timer handler cpu5wdt_trigger() calls outb()
	to write into the region that is released, the use-after-free bug will
	happen.

	Change del_timer() to timer_shutdown_sync() in order that the timer handler
	could be finished before the port region is released.

	The Linux kernel CVE team has assigned CVE-2024-38630 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.33 with commit 9b1c063ffc075abf56f63e55d70b9778ff534314
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.9.4 with commit f19686d616500cd0d47b30cee82392b53f7f784a
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.10 with commit 573601521277119f2e2ba5f28ae6e87fc594f4d4

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-38630
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/watchdog/cpu5wdt.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9b1c063ffc075abf56f63e55d70b9778ff534314
	https://git.kernel.org/stable/c/f19686d616500cd0d47b30cee82392b53f7f784a
	https://git.kernel.org/stable/c/573601521277119f2e2ba5f28ae6e87fc594f4d4