cve/published/2024/CVE-2024-46845.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-46845: tracing/timerlat: Only clear timer if a kthread exists

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tracing/timerlat: Only clear timer if a kthread exists

 The timerlat tracer can use user space threads to check for osnoise and
 timer latency. If the program using this is killed via a SIGTERM, the
 threads are shutdown one at a time and another tracing instance can start
 up resetting the threads before they are fully closed. That causes the
 hrtimer assigned to the kthread to be shutdown and freed twice when the
 dying thread finally closes the file descriptors, causing a use-after-free
 bug.

 Only cancel the hrtimer if the associated thread is still around. Also add
 the interface_lock around the resetting of the tlat_var->kthread.

 Note, this is just a quick fix that can be backported to stable. A real
 fix is to have a better synchronization between the shutdown of old
 threads and the starting of new ones.

 The Linux kernel CVE team has assigned CVE-2024-46845 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.5 with commit e88ed227f639ebcb31ed4e5b88756b47d904584b and fixed in 6.6.51 with commit 8c72f0b2c45f21cb8b00fc37f79f632d7e46c2ed
 	Issue introduced in 6.5 with commit e88ed227f639ebcb31ed4e5b88756b47d904584b and fixed in 6.10.10 with commit 8a9d0d405159e9c796ddf771f7cff691c1a2bc1e
 	Issue introduced in 6.5 with commit e88ed227f639ebcb31ed4e5b88756b47d904584b and fixed in 6.11 with commit e6a53481da292d970d1edf0d8831121d1c5e2f0d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-46845
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/trace/trace_osnoise.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8c72f0b2c45f21cb8b00fc37f79f632d7e46c2ed
 	https://git.kernel.org/stable/c/8a9d0d405159e9c796ddf771f7cff691c1a2bc1e
 	https://git.kernel.org/stable/c/e6a53481da292d970d1edf0d8831121d1c5e2f0d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-46845: tracing/timerlat: Only clear timer if a kthread exists

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tracing/timerlat: Only clear timer if a kthread exists

	The timerlat tracer can use user space threads to check for osnoise and
	timer latency. If the program using this is killed via a SIGTERM, the
	threads are shutdown one at a time and another tracing instance can start
	up resetting the threads before they are fully closed. That causes the
	hrtimer assigned to the kthread to be shutdown and freed twice when the
	dying thread finally closes the file descriptors, causing a use-after-free
	bug.

	Only cancel the hrtimer if the associated thread is still around. Also add
	the interface_lock around the resetting of the tlat_var->kthread.

	Note, this is just a quick fix that can be backported to stable. A real
	fix is to have a better synchronization between the shutdown of old
	threads and the starting of new ones.

	The Linux kernel CVE team has assigned CVE-2024-46845 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.5 with commit e88ed227f639ebcb31ed4e5b88756b47d904584b and fixed in 6.6.51 with commit 8c72f0b2c45f21cb8b00fc37f79f632d7e46c2ed
	Issue introduced in 6.5 with commit e88ed227f639ebcb31ed4e5b88756b47d904584b and fixed in 6.10.10 with commit 8a9d0d405159e9c796ddf771f7cff691c1a2bc1e
	Issue introduced in 6.5 with commit e88ed227f639ebcb31ed4e5b88756b47d904584b and fixed in 6.11 with commit e6a53481da292d970d1edf0d8831121d1c5e2f0d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-46845
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/trace/trace_osnoise.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8c72f0b2c45f21cb8b00fc37f79f632d7e46c2ed
	https://git.kernel.org/stable/c/8a9d0d405159e9c796ddf771f7cff691c1a2bc1e
	https://git.kernel.org/stable/c/e6a53481da292d970d1edf0d8831121d1c5e2f0d