Bug 1222231 (CVE-2023-52629) - VUL-0: CVE-2023-52629: kernel: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug
Summary: VUL-0: CVE-2023-52629: kernel: sh: push-switch: Reorder cleanup operations to...
Status: RESOLVED INVALID
Alias: CVE-2023-52629
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/399612/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-52629:5.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-02 09:57 UTC by SMASH SMASH
Modified: 2024-04-29 10:34 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-04-02 09:57:52 UTC 
In the Linux kernel, the following vulnerability has been resolved:

sh: push-switch: Reorder cleanup operations to avoid use-after-free bug

The original code puts flush_work() before timer_shutdown_sync()
in switch_drv_remove(). Although we use flush_work() to stop
the worker, it could be rescheduled in switch_timer(). As a result,
a use-after-free bug can occur. The details are shown below:

      (cpu 0)                    |      (cpu 1)
switch_drv_remove()              |
 flush_work()                    |
  ...                            |  switch_timer // timer
                                 |   schedule_work(&psw->work)
 timer_shutdown_sync()           |
 ...                             |  switch_work_handler // worker
 kfree(psw) // free              |
                                 |   psw->state = 0 // use

This patch puts timer_shutdown_sync() before flush_work() to
mitigate the bugs. As a result, the worker and timer will be
stopped safely before the deallocate operations.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52629
https://www.cve.org/CVERecord?id=CVE-2023-52629
https://git.kernel.org/stable/c/246f80a0b17f8f582b2c0996db02998239057c65
https://git.kernel.org/stable/c/610dbd8ac271aa36080aac50b928d700ee3fe4de
https://bugzilla.redhat.com/show_bug.cgi?id=2272204
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2023/CVE-2023-52629.mbox
Comment 2 Michal Koutný 2024-04-26 17:01:10 UTC 
scripts/check-kernel-fix CVE-2023-52629
246f80a0b17f8 ("sh: push-switch: Reorder cleanup operations to avoid use-after-free bug") merged v6.6-rc1~9^2
Fixes: 9f5e8eee5cfe1 ("sh: generic push-switch framework.") merged v2.6.20-rc1~34^2~20^2~32^2~25
Security fix for CVE-2023-52629 bsc#1222231 with CVSS 5.5
..............................
ACTION NEEDED!
SLE15-SP6: MANUAL: backport 246f80a0b17f8f582b2c0996db02998239057c65 (Fixes 9f5e8eee5cfe)
SLE15-SP5: MANUAL: backport 246f80a0b17f8f582b2c0996db02998239057c65 (Fixes 9f5e8eee5cfe)
SLE12-SP5: MANUAL: backport 246f80a0b17f8f582b2c0996db02998239057c65 (Fixes 9f5e8eee5cfe)
SLE12-SP3-TD: MANUAL: backport 246f80a0b17f8f582b2c0996db02998239057c65 (Fixes 9f5e8eee5cfe)

The patch changes sources of SuperH architecture code which we don't support yet distribute in our RPMs. So our producst are UNaffected.

I'm going to blacklist the patch to silence git-fixes. We'll have the fix from upstream if we add support for the arch in the future.
Comment 3 Michal Koutný 2024-04-26 17:02:18 UTC 
(In reply to Michal Koutný from comment #2)
> The patch changes sources of SuperH architecture code which we don't support
> yet distribute in our RPMs. So our producst are UNaffected.

nor distribute