cve/published/2024/CVE-2024-47747.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-47747: net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition

 In the ether3_probe function, a timer is initialized with a callback
 function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is
 started, there is a risk of a race condition if the module or device
 is removed, triggering the ether3_remove function to perform cleanup.
 The sequence of operations that may lead to a UAF bug is as follows:

 CPU0                                    CPU1

                       |  ether3_ledoff
 ether3_remove         |
   free_netdev(dev);   |
   put_devic           |
   kfree(dev);         |
  |  ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);
                       | // use dev

 Fix it by ensuring that the timer is canceled before proceeding with
 the cleanup in ether3_remove.

 The Linux kernel CVE team has assigned CVE-2024-47747 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.15 with commit 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 and fixed in 4.19.323 with commit 25d559ed2beec9b34045886100dac46d1ad92eba
 	Issue introduced in 4.15 with commit 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 and fixed in 5.4.285 with commit b5a84b6c772564c8359a9a0fbaeb2a2944aa1ee9
 	Issue introduced in 4.15 with commit 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 and fixed in 5.10.227 with commit 338a0582b28e69460df03af50e938b86b4206353
 	Issue introduced in 4.15 with commit 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 and fixed in 5.15.168 with commit 822c7bb1f6f8b0331e8d1927151faf8db3b33afd
 	Issue introduced in 4.15 with commit 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 and fixed in 6.1.113 with commit 1c57d61a43293252ad732007c7070fdb112545fd
 	Issue introduced in 4.15 with commit 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 and fixed in 6.6.54 with commit d2abc379071881798d20e2ac1d332ad855ae22f3
 	Issue introduced in 4.15 with commit 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 and fixed in 6.10.13 with commit 516dbc6d16637430808c39568cbb6b841d32b55b
 	Issue introduced in 4.15 with commit 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 and fixed in 6.11.2 with commit 77a77331cef0a219b8dd91361435eeef04cb741c
 	Issue introduced in 4.15 with commit 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 and fixed in 6.12 with commit b5109b60ee4fcb2f2bb24f589575e10cc5283ad4

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-47747
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/seeq/ether3.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/25d559ed2beec9b34045886100dac46d1ad92eba
 	https://git.kernel.org/stable/c/b5a84b6c772564c8359a9a0fbaeb2a2944aa1ee9
 	https://git.kernel.org/stable/c/338a0582b28e69460df03af50e938b86b4206353
 	https://git.kernel.org/stable/c/822c7bb1f6f8b0331e8d1927151faf8db3b33afd
 	https://git.kernel.org/stable/c/1c57d61a43293252ad732007c7070fdb112545fd
 	https://git.kernel.org/stable/c/d2abc379071881798d20e2ac1d332ad855ae22f3
 	https://git.kernel.org/stable/c/516dbc6d16637430808c39568cbb6b841d32b55b
 	https://git.kernel.org/stable/c/77a77331cef0a219b8dd91361435eeef04cb741c
 	https://git.kernel.org/stable/c/b5109b60ee4fcb2f2bb24f589575e10cc5283ad4
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-47747: net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition

	In the ether3_probe function, a timer is initialized with a callback
	function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is
	started, there is a risk of a race condition if the module or device
	is removed, triggering the ether3_remove function to perform cleanup.
	The sequence of operations that may lead to a UAF bug is as follows:

	CPU0 CPU1

	\| ether3_ledoff
	ether3_remove \|
	free_netdev(dev); \|
	put_devic \|
	kfree(dev); \|
	\| ether3_outw(priv(dev)->regs.config2 \|= CFG2_CTRLO, REG_CONFIG2);
	\| // use dev

	Fix it by ensuring that the timer is canceled before proceeding with
	the cleanup in ether3_remove.

	The Linux kernel CVE team has assigned CVE-2024-47747 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.15 with commit 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 and fixed in 4.19.323 with commit 25d559ed2beec9b34045886100dac46d1ad92eba
	Issue introduced in 4.15 with commit 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 and fixed in 5.4.285 with commit b5a84b6c772564c8359a9a0fbaeb2a2944aa1ee9
	Issue introduced in 4.15 with commit 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 and fixed in 5.10.227 with commit 338a0582b28e69460df03af50e938b86b4206353
	Issue introduced in 4.15 with commit 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 and fixed in 5.15.168 with commit 822c7bb1f6f8b0331e8d1927151faf8db3b33afd
	Issue introduced in 4.15 with commit 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 and fixed in 6.1.113 with commit 1c57d61a43293252ad732007c7070fdb112545fd
	Issue introduced in 4.15 with commit 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 and fixed in 6.6.54 with commit d2abc379071881798d20e2ac1d332ad855ae22f3
	Issue introduced in 4.15 with commit 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 and fixed in 6.10.13 with commit 516dbc6d16637430808c39568cbb6b841d32b55b
	Issue introduced in 4.15 with commit 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 and fixed in 6.11.2 with commit 77a77331cef0a219b8dd91361435eeef04cb741c
	Issue introduced in 4.15 with commit 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 and fixed in 6.12 with commit b5109b60ee4fcb2f2bb24f589575e10cc5283ad4

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-47747
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/seeq/ether3.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/25d559ed2beec9b34045886100dac46d1ad92eba
	https://git.kernel.org/stable/c/b5a84b6c772564c8359a9a0fbaeb2a2944aa1ee9
	https://git.kernel.org/stable/c/338a0582b28e69460df03af50e938b86b4206353
	https://git.kernel.org/stable/c/822c7bb1f6f8b0331e8d1927151faf8db3b33afd
	https://git.kernel.org/stable/c/1c57d61a43293252ad732007c7070fdb112545fd
	https://git.kernel.org/stable/c/d2abc379071881798d20e2ac1d332ad855ae22f3
	https://git.kernel.org/stable/c/516dbc6d16637430808c39568cbb6b841d32b55b
	https://git.kernel.org/stable/c/77a77331cef0a219b8dd91361435eeef04cb741c
	https://git.kernel.org/stable/c/b5109b60ee4fcb2f2bb24f589575e10cc5283ad4