{ "id": "CVE-2023-52629", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-03-29T10:15:09.327", "lastModified": "2024-11-21T08:40:14.360", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\n\nThe original code puts flush_work() before timer_shutdown_sync()\nin switch_drv_remove(). Although we use flush_work() to stop\nthe worker, it could be rescheduled in switch_timer(). As a result,\na use-after-free bug can occur. The details are shown below:\n\n (cpu 0) | (cpu 1)\nswitch_drv_remove() |\n flush_work() |\n ... | switch_timer // timer\n | schedule_work(&psw->work)\n timer_shutdown_sync() |\n ... | switch_work_handler // worker\n kfree(psw) // free |\n | psw->state = 0 // use\n\nThis patch puts timer_shutdown_sync() before flush_work() to\nmitigate the bugs. As a result, the worker and timer will be\nstopped safely before the deallocate operations." }, { "lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sh: push-switch: reordenar las operaciones de limpieza para evitar el error de use after free. El c\u00f3digo original coloca Flush_work() antes de timer_shutdown_sync() en switch_drv_remove(). Aunque usamos Flush_work() para detener al trabajador, podr\u00eda reprogramarse en switch_timer(). Como resultado, puede ocurrir un error de use after free. Los detalles se muestran a continuaci\u00f3n: (cpu 0) | (procesador 1) switch_drv_remove() | descarga_trabajo() | ... | switch_timer // temporizador | Schedule_work(&psw->trabajo) timer_shutdown_sync() | ... | switch_work_handler // trabajador kfree(psw) // gratis | | psw->state = 0 // uso Este parche coloca timer_shutdown_sync() antes de Flush_work() para mitigar los errores. Como resultado, el trabajador y el temporizador se detendr\u00e1n de forma segura antes de las operaciones de desasignaci\u00f3n." } ], "metrics": { "cvssMetricV31": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH" }, "exploitabilityScore": 2.5, "impactScore": 5.9 } ] }, "weaknesses": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [ { "lang": "en", "value": "CWE-416" } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/246f80a0b17f8f582b2c0996db02998239057c65", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/610dbd8ac271aa36080aac50b928d700ee3fe4de", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/246f80a0b17f8f582b2c0996db02998239057c65", "source": "af854a3a-2127-422b-91ae-364da2661108" }, { "url": "https://git.kernel.org/stable/c/610dbd8ac271aa36080aac50b928d700ee3fe4de", "source": "af854a3a-2127-422b-91ae-364da2661108" } ] }