Bug 2320618 (CVE-2024-50059) - CVE-2024-50059 kernel: ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition
Summary: CVE-2024-50059 kernel: ntb: ntb_hw_switchtec: Fix use after free vulnerabilit...
Keywords:
Status: NEW
Alias: CVE-2024-50059
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2327805
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-10-21 20:03 UTC by OSIDB Bzimport
Modified: 2024-11-21 14:06 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-10-21 20:03:55 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition

In the switchtec_ntb_add function, it can call switchtec_ntb_init_sndev
function, then &sndev->check_link_status_work is bound with
check_link_status_work. switchtec_ntb_link_notification may be called
to start the work.

If we remove the module which will call switchtec_ntb_remove to make
cleanup, it will free sndev through kfree(sndev), while the work
mentioned above will be used. The sequence of operations that may lead
to a UAF bug is as follows:

CPU0                                 CPU1

                        | check_link_status_work
switchtec_ntb_remove    |
kfree(sndev);           |
                        | if (sndev->link_force_down)
                        | // use sndev

Fix it by ensuring that the work is canceled before proceeding with
the cleanup in switchtec_ntb_remove.
Comment 1 Avinash Hanwate 2024-10-22 10:15:48 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024102135-CVE-2024-50059-4ccd@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.