| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-39495: greybus: Fix use-after-free bug in gb_interface_release due to race condition. |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| greybus: Fix use-after-free bug in gb_interface_release due to race condition. |
| |
| In gb_interface_create, &intf->mode_switch_completion is bound with |
| gb_interface_mode_switch_work. Then it will be started by |
| gb_interface_request_mode_switch. Here is the relevant code. |
| if (!queue_work(system_long_wq, &intf->mode_switch_work)) { |
| ... |
| } |
| |
| If we call gb_interface_release to make cleanup, there may be an |
| unfinished work. This function will call kfree to free the object |
| "intf". However, if gb_interface_mode_switch_work is scheduled to |
| run after kfree, it may cause use-after-free error as |
| gb_interface_mode_switch_work will use the object "intf". |
| The possible execution flow that may lead to the issue is as follows: |
| |
| CPU0 CPU1 |
| |
| | gb_interface_create |
| | gb_interface_request_mode_switch |
| gb_interface_release | |
| kfree(intf) (free) | |
| | gb_interface_mode_switch_work |
| | mutex_lock(&intf->mutex) (use) |
| |
| Fix it by canceling the work before kfree. |
| |
| The Linux kernel CVE team has assigned CVE-2024-39495 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 5.4.279 with commit 74cd0a421896b2e07eafe7da4275302bfecef201 |
| Fixed in 5.10.221 with commit 2b6bb0b4abfd79b8698ee161bb73c0936a2aaf83 |
| Fixed in 5.15.162 with commit fb071f5c75d4b1c177824de74ee75f9dd34123b9 |
| Fixed in 6.1.95 with commit 9a733d69a4a59c2d08620e6589d823c24be773dc |
| Fixed in 6.6.35 with commit 0b8fba38bdfb848fac52e71270b2aa3538c996ea |
| Fixed in 6.9.6 with commit 03ea2b129344152157418929f06726989efc0445 |
| Fixed in 6.10 with commit 5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-39495 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/greybus/interface.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/74cd0a421896b2e07eafe7da4275302bfecef201 |
| https://git.kernel.org/stable/c/2b6bb0b4abfd79b8698ee161bb73c0936a2aaf83 |
| https://git.kernel.org/stable/c/fb071f5c75d4b1c177824de74ee75f9dd34123b9 |
| https://git.kernel.org/stable/c/9a733d69a4a59c2d08620e6589d823c24be773dc |
| https://git.kernel.org/stable/c/0b8fba38bdfb848fac52e71270b2aa3538c996ea |
| https://git.kernel.org/stable/c/03ea2b129344152157418929f06726989efc0445 |
| https://git.kernel.org/stable/c/5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce |
