CVE-2023-52635
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
02/04/2024
Last modified:
17/03/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
PM / devfreq: Synchronize devfreq_monitor_[start/stop]<br />
<br />
There is a chance if a frequent switch of the governor<br />
done in a loop result in timer list corruption where<br />
timer cancel being done from two place one from<br />
cancel_delayed_work_sync() and followed by expire_timers()<br />
can be seen from the traces[1].<br />
<br />
while true<br />
do<br />
echo "simple_ondemand" > /sys/class/devfreq/1d84000.ufshc/governor<br />
echo "performance" > /sys/class/devfreq/1d84000.ufshc/governor<br />
done<br />
<br />
It looks to be issue with devfreq driver where<br />
device_monitor_[start/stop] need to synchronized so that<br />
delayed work should get corrupted while it is either<br />
being queued or running or being cancelled.<br />
<br />
Let&#39;s use polling flag and devfreq lock to synchronize the<br />
queueing the timer instance twice and work data being<br />
corrupted.<br />
<br />
[1]<br />
...<br />
..<br />
-0 [003] 9436.209662: timer_cancel timer=0xffffff80444f0428<br />
-0 [003] 9436.209664: timer_expire_entry timer=0xffffff80444f0428 now=0x10022da1c function=__typeid__ZTSFvP10timer_listE_global_addr baseclk=0x10022da1c<br />
-0 [003] 9436.209718: timer_expire_exit timer=0xffffff80444f0428<br />
kworker/u16:6-14217 [003] 9436.209863: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2b now=0x10022da1c flags=182452227<br />
vendor.xxxyyy.ha-1593 [004] 9436.209888: timer_cancel timer=0xffffff80444f0428<br />
vendor.xxxyyy.ha-1593 [004] 9436.216390: timer_init timer=0xffffff80444f0428<br />
vendor.xxxyyy.ha-1593 [004] 9436.216392: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2c now=0x10022da1d flags=186646532<br />
vendor.xxxyyy.ha-1593 [005] 9436.220992: timer_cancel timer=0xffffff80444f0428<br />
xxxyyyTraceManag-7795 [004] 9436.261641: timer_cancel timer=0xffffff80444f0428<br />
<br />
[2]<br />
<br />
9436.261653][ C4] Unable to handle kernel paging request at virtual address dead00000000012a<br />
[ 9436.261664][ C4] Mem abort info:<br />
[ 9436.261666][ C4] ESR = 0x96000044<br />
[ 9436.261669][ C4] EC = 0x25: DABT (current EL), IL = 32 bits<br />
[ 9436.261671][ C4] SET = 0, FnV = 0<br />
[ 9436.261673][ C4] EA = 0, S1PTW = 0<br />
[ 9436.261675][ C4] Data abort info:<br />
[ 9436.261677][ C4] ISV = 0, ISS = 0x00000044<br />
[ 9436.261680][ C4] CM = 0, WnR = 1<br />
[ 9436.261682][ C4] [dead00000000012a] address between user and kernel address ranges<br />
[ 9436.261685][ C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP<br />
[ 9436.261701][ C4] Skip md ftrace buffer dump for: 0x3a982d0<br />
...<br />
<br />
[ 9436.262138][ C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S W O 5.10.149-android12-9-o-g17f915d29d0c #1<br />
[ 9436.262141][ C4] Hardware name: Qualcomm Technologies, Inc. (DT)<br />
[ 9436.262144][ C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--)<br />
[ 9436.262161][ C4] pc : expire_timers+0x9c/0x438<br />
[ 9436.262164][ C4] lr : expire_timers+0x2a4/0x438<br />
[ 9436.262168][ C4] sp : ffffffc010023dd0<br />
[ 9436.262171][ C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18<br />
[ 9436.262178][ C4] x27: ffffffd063569dd0 x26: ffffffd063536008<br />
[ 9436.262182][ C4] x25: 0000000000000001 x24: ffffff88f7c69280<br />
[ 9436.262185][ C4] x23: 00000000000000e0 x22: dead000000000122<br />
[ 9436.262188][ C4] x21: 000000010022da29 x20: ffffff8af72b4e80<br />
[ 9436.262191][ C4] x19: ffffffc010023e50 x18: ffffffc010025038<br />
[ 9436.262195][ C4] x17: 0000000000000240 x16: 0000000000000201<br />
[ 9436.262199][ C4] x15: ffffffffffffffff x14: ffffff889f3c3100<br />
[ 9436.262203][ C4] x13: ffffff889f3c3100 x12: 00000000049f56b8<br />
[ 9436.262207][ C4] x11: 00000000049f56b8 x10: 00000000ffffffff<br />
[ 9436.262212][ C4] x9 : ffffffc010023e50 x8 : dead000000000122<br />
[ 9436.262216][ C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8<br />
[ 9436.262220][ C4] x5 : 0000000000000000 x4 : 0000000000000101<br />
[ 9436.262223][ C4] x3 : 0000000000000080 x2 : ffffff8<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.210 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.149 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.77 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.16 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.7.4 (excluding) |
| cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/099f6a9edbe30b142c1d97fe9a4748601d995675
- https://git.kernel.org/stable/c/0aedb319ef3ed39e9e5a7b7726c8264ca627bbd9
- https://git.kernel.org/stable/c/31569995fc65007b73a3fff605ec2b3401b435e9
- https://git.kernel.org/stable/c/3399cc7013e761fee9d6eec795e9b31ab0cbe475
- https://git.kernel.org/stable/c/ae815e2fdc284ab31651d52460698bd89c0fce22
- https://git.kernel.org/stable/c/aed5ed595960c6d301dcd4ed31aeaa7a8054c0c6
- https://git.kernel.org/stable/c/099f6a9edbe30b142c1d97fe9a4748601d995675
- https://git.kernel.org/stable/c/0aedb319ef3ed39e9e5a7b7726c8264ca627bbd9
- https://git.kernel.org/stable/c/31569995fc65007b73a3fff605ec2b3401b435e9
- https://git.kernel.org/stable/c/3399cc7013e761fee9d6eec795e9b31ab0cbe475
- https://git.kernel.org/stable/c/ae815e2fdc284ab31651d52460698bd89c0fce22
- https://git.kernel.org/stable/c/aed5ed595960c6d301dcd4ed31aeaa7a8054c0c6
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html