Use After Free Affecting gfs2-kmp-default package, versions <6.4.0-150600.23.14.2
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-SLES156-GFS2KMPDEFAULT-7554560
- published 23 Jul 2024
- disclosed 22 Jul 2024
Introduced: 22 Jul 2024
CVE-2024-38630 Open this link in a new tabHow to fix?
Upgrade SLES:15.6
gfs2-kmp-default
to version 6.4.0-150600.23.14.2 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream gfs2-kmp-default
package and not the gfs2-kmp-default
package as distributed by SLES
.
See How to fix?
for SLES:15.6
relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger
When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen.
Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.
References
- https://www.suse.com/security/cve/CVE-2024-38630.html
- https://bugzilla.suse.com/1226908
- https://git.kernel.org/stable/c/573601521277119f2e2ba5f28ae6e87fc594f4d4
- https://git.kernel.org/stable/c/9b1c063ffc075abf56f63e55d70b9778ff534314
- https://git.kernel.org/stable/c/f19686d616500cd0d47b30cee82392b53f7f784a