cve/published/2024/CVE-2024-39292.mbox

From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2024-39292: um: Add winch to winch_handlers before registering winch IRQ

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

um: Add winch to winch_handlers before registering winch IRQ

Registering a winch IRQ is racy, an interrupt may occur before the winch is
added to the winch_handlers list.

If that happens, register_winch_irq() adds to that list a winch that is
scheduled to be (or has already been) freed, causing a panic later in
winch_cleanup().

Avoid the race by adding the winch to the winch_handlers list before
registering the IRQ, and rolling back if um_request_irq() fails.

The Linux kernel CVE team has assigned CVE-2024-39292 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 2.6.23 with commit 42a359e31a0e438b5b978a8f0fecdbd3c86bb033 and fixed in 4.19.316 with commit 66ea9a7c6824821476914bed21a476cd20094f33
	Issue introduced in 2.6.23 with commit 42a359e31a0e438b5b978a8f0fecdbd3c86bb033 and fixed in 5.4.278 with commit dc1ff95602ee908fcd7d8acee7a0dadb61b1a0c0
	Issue introduced in 2.6.23 with commit 42a359e31a0e438b5b978a8f0fecdbd3c86bb033 and fixed in 5.10.219 with commit 351d1a64544944b44732f6a64ed65573b00b9e14
	Issue introduced in 2.6.23 with commit 42a359e31a0e438b5b978a8f0fecdbd3c86bb033 and fixed in 5.15.161 with commit 31960d991e43c8d6dc07245f19fc13398e90ead2
	Issue introduced in 2.6.23 with commit 42a359e31a0e438b5b978a8f0fecdbd3c86bb033 and fixed in 6.1.93 with commit 0c02d425a2fbe52643a5859a779db0329e7dddd4
	Issue introduced in 2.6.23 with commit 42a359e31a0e438b5b978a8f0fecdbd3c86bb033 and fixed in 6.6.33 with commit 434a06c38ee1217a8baa0dd7c37cc85d50138fb0
	Issue introduced in 2.6.23 with commit 42a359e31a0e438b5b978a8f0fecdbd3c86bb033 and fixed in 6.9.4 with commit 73b8e21f76c7dda4905655d2e2c17dc5a73b87f1
	Issue introduced in 2.6.23 with commit 42a359e31a0e438b5b978a8f0fecdbd3c86bb033 and fixed in 6.10 with commit a0fbbd36c156b9f7b2276871d499c9943dfe5101

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-39292
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	arch/um/drivers/line.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/66ea9a7c6824821476914bed21a476cd20094f33
	https://git.kernel.org/stable/c/dc1ff95602ee908fcd7d8acee7a0dadb61b1a0c0
	https://git.kernel.org/stable/c/351d1a64544944b44732f6a64ed65573b00b9e14
	https://git.kernel.org/stable/c/31960d991e43c8d6dc07245f19fc13398e90ead2
	https://git.kernel.org/stable/c/0c02d425a2fbe52643a5859a779db0329e7dddd4
	https://git.kernel.org/stable/c/434a06c38ee1217a8baa0dd7c37cc85d50138fb0
	https://git.kernel.org/stable/c/73b8e21f76c7dda4905655d2e2c17dc5a73b87f1
	https://git.kernel.org/stable/c/a0fbbd36c156b9f7b2276871d499c9943dfe5101