CVE-2023-53587

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ring-buffer: Sync IRQ works before buffer destruction<br /> <br /> If something was written to the buffer just before destruction,<br /> it may be possible (maybe not in a real system, but it did<br /> happen in ARCH=um with time-travel) to destroy the ringbuffer<br /> before the IRQ work ran, leading this KASAN report (or a crash<br /> without KASAN):<br /> <br /> BUG: KASAN: slab-use-after-free in irq_work_run_list+0x11a/0x13a<br /> Read of size 8 at addr 000000006d640a48 by task swapper/0<br /> <br /> CPU: 0 PID: 0 Comm: swapper Tainted: G W O 6.3.0-rc1 #7<br /> Stack:<br /> 60c4f20f 0c203d48 41b58ab3 60f224fc<br /> 600477fa 60f35687 60c4f20f 601273dd<br /> 00000008 6101eb00 6101eab0 615be548<br /> Call Trace:<br /> [] show_stack+0x25e/0x282<br /> [] dump_stack_lvl+0x96/0xfd<br /> [] print_report+0x1a7/0x5a8<br /> [] kasan_report+0xc1/0xe9<br /> [] __asan_report_load8_noabort+0x1b/0x1d<br /> [] irq_work_run_list+0x11a/0x13a<br /> [] irq_work_tick+0x24/0x34<br /> [] update_process_times+0x162/0x196<br /> [] tick_sched_handle+0x1a4/0x1c3<br /> [] tick_sched_timer+0x79/0x10c<br /> [] __hrtimer_run_queues.constprop.0+0x425/0x695<br /> [] hrtimer_interrupt+0x16c/0x2c4<br /> [] um_timer+0x164/0x183<br /> [...]<br /> <br /> Allocated by task 411:<br /> save_stack_trace+0x99/0xb5<br /> stack_trace_save+0x81/0x9b<br /> kasan_save_stack+0x2d/0x54<br /> kasan_set_track+0x34/0x3e<br /> kasan_save_alloc_info+0x25/0x28<br /> ____kasan_kmalloc+0x8b/0x97<br /> __kasan_kmalloc+0x10/0x12<br /> __kmalloc+0xb2/0xe8<br /> load_elf_phdrs+0xee/0x182<br /> [...]<br /> <br /> The buggy address belongs to the object at 000000006d640800<br /> which belongs to the cache kmalloc-1k of size 1024<br /> The buggy address is located 584 bytes inside of<br /> freed 1024-byte region [000000006d640800, 000000006d640c00)<br /> <br /> Add the appropriate irq_work_sync() so the work finishes before<br /> the buffers are destroyed.<br /> <br /> Prior to the commit in the Fixes tag below, there was only a<br /> single global IRQ work, so this issue didn&amp;#39;t exist.