On Fri, Sep 08, 2023 at 05:41:35AM +0400, Denis Efremov (Oracle) wrote:
> From: Duoming Zhou <duoming@xxxxxxxxxx>
>
> The watchdog_timer can schedule tx_timeout_task and watchdog_work
> can also arm watchdog_timer. The process is shown below:
>
> ----------- timer schedules work ------------
> cyttsp4_watchdog_timer() //timer handler
> schedule_work(&cd->watchdog_work)
>
> ----------- work arms timer ------------
> cyttsp4_watchdog_work() //workqueue callback function
> cyttsp4_start_wd_timer()
> mod_timer(&cd->watchdog_timer, ...)
>
> Although del_timer_sync() and cancel_work_sync() are called in
> cyttsp4_remove(), the timer and workqueue could still be rearmed.
> As a result, the possible use after free bugs could happen. The
> process is shown below:
>
> (cleanup routine) | (timer and workqueue routine)
> cyttsp4_remove() | cyttsp4_watchdog_timer() //timer
> cyttsp4_stop_wd_timer() | schedule_work()
> del_timer_sync() |
> | cyttsp4_watchdog_work() //worker
> | cyttsp4_start_wd_timer()
> | mod_timer()
> cancel_work_sync() |
> | cyttsp4_watchdog_timer() //timer
> | schedule_work()
> del_timer_sync() |
> kfree(cd) //FREE |
> | cyttsp4_watchdog_work() // reschedule!
> | cd-> //USE
>
> This patch changes del_timer_sync() to timer_shutdown_sync(),
> which could prevent rearming of the timer from the workqueue.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: CVE-2023-4134
"CVE" is not a valid Fixes tag :(
> Fixes: 17fb1563d69b ("Input: cyttsp4 - add core driver for Cypress TMA4XX touchscreen devices")
> Signed-off-by: Duoming Zhou <duoming@xxxxxxxxxx>
> Link: https://lore.kernel.org/r/20230421082919.8471-1-duoming@xxxxxxxxxx
> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
> Signed-off-by: Denis Efremov (Oracle) <efremov@xxxxxxxxx>
> ---
>
> I've only added Cc: stable and Fixes tag.
What is the commit id in Linus's tree for this?
thanks,
greg k-h
