In the Linux kernel, the following vulnerability has been resolved:
ax25: fix use-after-free bugs caused by ax25dsdel_timer
When the ax25 device is detaching, the ax25devdevicedown() calls ax25dsdeltimer() to cleanup the slavetimer. When the timer handler is running, the ax25dsdeltimer() that calls del_timer() in it will return directly. As a result, the use-after-free bugs could happen, one of the scenarios is shown below:
(Thread 1) | (Thread 2)
| ax25_ds_timeout()
ax25devdevicedown() | ax25dsdeltimer() | deltimer() | ax25devput() //FREE | | ax25dev-> //USE
In order to mitigate bugs, when the device is detaching, use timershutdownsync() to stop the timer.
{ "vanir_signatures": [ { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fd819ad3ecf6f3c232a06b27423ce9ed8c20da89", "deprecated": false, "id": "CVE-2024-35887-1ae0c385", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "118749655098592485638472392615095243238", "127990043000989684734220408953620159410", "198099407153709880367002116230872391070", "268883202516729139945937464042028170294" ] }, "target": { "file": "net/ax25/ax25_dev.c" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c6a368f9c7af4c14b14d390c2543af8001c9bdb9", "deprecated": false, "id": "CVE-2024-35887-6342bd04", "signature_type": "Function", "digest": { "length": 832.0, "function_hash": "175125873230525905873666956066759664579" }, "target": { "file": "net/ax25/ax25_dev.c", "function": "ax25_dev_device_down" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@74204bf9050f7627aead9875fe4e07ba125cb19b", "deprecated": false, "id": "CVE-2024-35887-88de1c10", "signature_type": "Function", "digest": { "length": 832.0, "function_hash": "175125873230525905873666956066759664579" }, "target": { "file": "net/ax25/ax25_dev.c", "function": "ax25_dev_device_down" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fd819ad3ecf6f3c232a06b27423ce9ed8c20da89", "deprecated": false, "id": "CVE-2024-35887-c789695e", "signature_type": "Function", "digest": { "length": 832.0, "function_hash": "175125873230525905873666956066759664579" }, "target": { "file": "net/ax25/ax25_dev.c", "function": "ax25_dev_device_down" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c6a368f9c7af4c14b14d390c2543af8001c9bdb9", "deprecated": false, "id": "CVE-2024-35887-e3e2a86d", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "118749655098592485638472392615095243238", "127990043000989684734220408953620159410", "198099407153709880367002116230872391070", "268883202516729139945937464042028170294" ] }, "target": { "file": "net/ax25/ax25_dev.c" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@74204bf9050f7627aead9875fe4e07ba125cb19b", "deprecated": false, "id": "CVE-2024-35887-f36e41da", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "118749655098592485638472392615095243238", "127990043000989684734220408953620159410", "198099407153709880367002116230872391070", "268883202516729139945937464042028170294" ] }, "target": { "file": "net/ax25/ax25_dev.c" } } ] }