On 9/8/23 10:15, Greg KH wrote:
On Fri, Sep 08, 2023 at 05:41:35AM +0400, Denis Efremov (Oracle) wrote:
From: Duoming Zhou duoming@zju.edu.cn
The watchdog_timer can schedule tx_timeout_task and watchdog_work can also arm watchdog_timer. The process is shown below:
----------- timer schedules work ------------ cyttsp4_watchdog_timer() //timer handler schedule_work(&cd->watchdog_work)
----------- work arms timer ------------ cyttsp4_watchdog_work() //workqueue callback function cyttsp4_start_wd_timer() mod_timer(&cd->watchdog_timer, ...)
Although del_timer_sync() and cancel_work_sync() are called in cyttsp4_remove(), the timer and workqueue could still be rearmed. As a result, the possible use after free bugs could happen. The process is shown below:
(cleanup routine) | (timer and workqueue routine) cyttsp4_remove() | cyttsp4_watchdog_timer() //timer cyttsp4_stop_wd_timer() | schedule_work() del_timer_sync() | | cyttsp4_watchdog_work() //worker | cyttsp4_start_wd_timer() | mod_timer() cancel_work_sync() | | cyttsp4_watchdog_timer() //timer | schedule_work() del_timer_sync() | kfree(cd) //FREE | | cyttsp4_watchdog_work() // reschedule! | cd-> //USE
This patch changes del_timer_sync() to timer_shutdown_sync(), which could prevent rearming of the timer from the workqueue.
Cc: stable@vger.kernel.org Fixes: CVE-2023-4134
"CVE" is not a valid Fixes tag :(
Fixes: 17fb1563d69b ("Input: cyttsp4 - add core driver for Cypress TMA4XX touchscreen devices") Signed-off-by: Duoming Zhou duoming@zju.edu.cn Link: https://lore.kernel.org/r/20230421082919.8471-1-duoming@zju.edu.cn Signed-off-by: Dmitry Torokhov dmitry.torokhov@gmail.com Signed-off-by: Denis Efremov (Oracle) efremov@linux.com
I've only added Cc: stable and Fixes tag.
Please, don't take this patch. It breaks the build. Sorry, I forgot to check it this time. I'll resend a correct backport with the upstream commit info.
Best Regards, Denis