From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A025614037C for ; Mon, 24 Jun 2024 13:52:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719237164; cv=none; b=s8a+yAaKuATapDjK1jbUFgPTu/1ZUs8x+aERT0uPqzwluOq+rLXN5eRY1LjM9A/5CJkGcz7VOVa/tPXkpqQwohMzwI6qUPZKFwvVto6fN3N0qudMLwlPsppkorchHS/fiXB5GRjl/agLhfR8o5mHuyLN8w8LS4gGEIeCGMgnYTE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719237164; c=relaxed/simple; bh=AHMKuf4L69IU9d/ufM8GaS8r+TIMRSBQaXoS13BPFlg=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=GCAprfwSGVhVPDy9zTvtPdCTiRv4KEZ2ecrcGI+ktW8xzec3ARaZCW9GJBahTBE0XJVnXRI+Fj8jz5wh3sMrRnkEFq+LQ6pyjOJQDg3xKuF/PicCbwAprPqjDBoxvW4DVL/n+02Y12lNgMhS63qvLfOHnvj0dp94Z/NqTw4loQY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=ZluwRhXI; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="ZluwRhXI" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 08037C2BBFC; Mon, 24 Jun 2024 13:52:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1719237164; bh=AHMKuf4L69IU9d/ufM8GaS8r+TIMRSBQaXoS13BPFlg=; h=From:To:Cc:Subject:Date:Reply-to:From; b=ZluwRhXIa2aBoQyxkmHdOemDWt5cTSH4Fr6A+NomSBDPhcWztDdH5uSy5ZXrred8L fa99muOTdJLTuWjZKEAvGLJ0PehCRxExVKPe+nNYFfSDCzpeAie8mZVK9cBZ6qcx9l H+ycAuk7renzOqn6V4NJxSEV57bgrHKTIrJKy9K4= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2024-39292: um: Add winch to winch_handlers before registering winch IRQ Date: Mon, 24 Jun 2024 15:52:33 +0200 Message-ID: <2024062432-CVE-2024-39292-e5c2@gregkh> X-Mailer: git-send-email 2.45.2 Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=3124; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=AHMKuf4L69IU9d/ufM8GaS8r+TIMRSBQaXoS13BPFlg=; b=owGbwMvMwCRo6H6F97bub03G02pJDGmVVQrn1i8svMgvsPEST43YOp/HkwuzTvh8PzBZSmy3a nWpGuPGjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZiIyCuG+ckrGOomtz28lb8o NPEdX2uf/szkTIb54QxKxbk9n/rXeE7edWzNdaH3WkufAAA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit Description =========== In the Linux kernel, the following vulnerability has been resolved: um: Add winch to winch_handlers before registering winch IRQ Registering a winch IRQ is racy, an interrupt may occur before the winch is added to the winch_handlers list. If that happens, register_winch_irq() adds to that list a winch that is scheduled to be (or has already been) freed, causing a panic later in winch_cleanup(). Avoid the race by adding the winch to the winch_handlers list before registering the IRQ, and rolling back if um_request_irq() fails. The Linux kernel CVE team has assigned CVE-2024-39292 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.23 with commit 42a359e31a0e and fixed in 4.19.316 with commit 66ea9a7c6824 Issue introduced in 2.6.23 with commit 42a359e31a0e and fixed in 5.4.278 with commit dc1ff95602ee Issue introduced in 2.6.23 with commit 42a359e31a0e and fixed in 5.10.219 with commit 351d1a645449 Issue introduced in 2.6.23 with commit 42a359e31a0e and fixed in 5.15.161 with commit 31960d991e43 Issue introduced in 2.6.23 with commit 42a359e31a0e and fixed in 6.1.93 with commit 0c02d425a2fb Issue introduced in 2.6.23 with commit 42a359e31a0e and fixed in 6.6.33 with commit 434a06c38ee1 Issue introduced in 2.6.23 with commit 42a359e31a0e and fixed in 6.9.4 with commit 73b8e21f76c7 Issue introduced in 2.6.23 with commit 42a359e31a0e and fixed in 6.10-rc1 with commit a0fbbd36c156 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-39292 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: arch/um/drivers/line.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/66ea9a7c6824821476914bed21a476cd20094f33 https://git.kernel.org/stable/c/dc1ff95602ee908fcd7d8acee7a0dadb61b1a0c0 https://git.kernel.org/stable/c/351d1a64544944b44732f6a64ed65573b00b9e14 https://git.kernel.org/stable/c/31960d991e43c8d6dc07245f19fc13398e90ead2 https://git.kernel.org/stable/c/0c02d425a2fbe52643a5859a779db0329e7dddd4 https://git.kernel.org/stable/c/434a06c38ee1217a8baa0dd7c37cc85d50138fb0 https://git.kernel.org/stable/c/73b8e21f76c7dda4905655d2e2c17dc5a73b87f1 https://git.kernel.org/stable/c/a0fbbd36c156b9f7b2276871d499c9943dfe5101