Common Weakness Enumeration

CWE-362

Allowed-with-Review

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Abstraction: Class · Status: Draft

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

2909 vulnerabilities reference this CWE, most recent first.

GHSA-PPJ3-7JW3-8VC4

Vulnerability from github – Published: 2021-08-25 20:49 – Updated: 2025-05-23 18:33
VLAI
Summary
Data races in lock_api
Details

An issue was discovered in the lock_api crate before 0.4.2 for Rust. A data race can occur because of MappedMutexGuard unsoundness.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "lock_api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-35910"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-19T20:53:30Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in the lock_api crate before 0.4.2 for Rust. A data race can occur because of MappedMutexGuard unsoundness.",
  "id": "GHSA-ppj3-7jw3-8vc4",
  "modified": "2025-05-23T18:33:34Z",
  "published": "2021-08-25T20:49:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35910"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Amanieu/parking_lot/pull/262"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Amanieu/parking_lot/commit/7de94f95f519d8281cb48457964065b463d26736"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Amanieu/parking_lot"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2020-0070.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Data races in lock_api"
}

GHSA-PPV3-RXM7-W9P5

Vulnerability from github – Published: 2024-06-21 12:31 – Updated: 2024-11-05 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind.

Hang on to the control IDs instead of pointers since those are correctly handled with locks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38628"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-21T11:15:11Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind.\n\nHang on to the control IDs instead of pointers since those are correctly\nhandled with locks.",
  "id": "GHSA-ppv3-rxm7-w9p5",
  "modified": "2024-11-05T18:31:59Z",
  "published": "2024-06-21T12:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38628"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1b739388aa3f8dfb63a9fca777e6dfa6912d0464"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/453d3fa9266e53f85377b911c19b9a4563fa88c0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/89e66809684485590ea0b32c3178e42cba36ac09"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bea73b58ab67fe581037ad9cdb93c2557590c068"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQ8F-75FC-MGWF

Vulnerability from github – Published: 2022-05-03 03:21 – Updated: 2022-05-03 03:21
VLAI
Details

Race condition in backend/ctrl.c in KDM in KDE Software Compilation (SC) 2.2.0 through 4.4.2 allows local users to change the permissions of arbitrary files, and consequently gain privileges, by blocking the removal of a certain directory that contains a control socket, related to improper interaction with ksm.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-0436"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-04-15T17:30:00Z",
    "severity": "MODERATE"
  },
  "details": "Race condition in backend/ctrl.c in KDM in KDE Software Compilation (SC) 2.2.0 through 4.4.2 allows local users to change the permissions of arbitrary files, and consequently gain privileges, by blocking the removal of a certain directory that contains a control socket, related to improper interaction with ksm.",
  "id": "GHSA-pq8f-75fc-mgwf",
  "modified": "2022-05-03T03:21:21Z",
  "published": "2022-05-03T03:21:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-0436"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=570613"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57823"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9999"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039533.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2010-0348.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/39419"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/39481"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/39506"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2010/dsa-2037"
    },
    {
      "type": "WEB",
      "url": "http://www.kde.org/info/security/advisory-20100413-1.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/39467"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2010/0879"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PQCW-X89X-VFMM

Vulnerability from github – Published: 2022-01-14 00:02 – Updated: 2023-04-19 18:30
VLAI
Details

Use after free condition can occur in wired connectivity due to a race condition while creating and deleting folders in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30313"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-13T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Use after free condition can occur in wired connectivity due to a race condition while creating and deleting folders in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking",
  "id": "GHSA-pqcw-x89x-vfmm",
  "modified": "2023-04-19T18:30:58Z",
  "published": "2022-01-14T00:02:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30313"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/january-2022-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQHV-FC7X-QJMR

Vulnerability from github – Published: 2025-07-25 15:30 – Updated: 2025-11-19 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/vmalloc: fix data race in show_numa_info()

The following data-race was found in show_numa_info():

================================================================== BUG: KCSAN: data-race in vmalloc_info_show / vmalloc_info_show

read to 0xffff88800971fe30 of 4 bytes by task 8289 on cpu 0: show_numa_info mm/vmalloc.c:4936 [inline] vmalloc_info_show+0x5a8/0x7e0 mm/vmalloc.c:5016 seq_read_iter+0x373/0xb40 fs/seq_file.c:230 proc_reg_read_iter+0x11e/0x170 fs/proc/inode.c:299 ....

write to 0xffff88800971fe30 of 4 bytes by task 8287 on cpu 1: show_numa_info mm/vmalloc.c:4934 [inline] vmalloc_info_show+0x38f/0x7e0 mm/vmalloc.c:5016 seq_read_iter+0x373/0xb40 fs/seq_file.c:230 proc_reg_read_iter+0x11e/0x170 fs/proc/inode.c:299 ....

value changed: 0x0000008f -> 0x00000000

According to this report,there is a read/write data-race because m->private is accessible to multiple CPUs. To fix this, instead of allocating the heap in proc_vmalloc_init() and passing the heap address to m->private, vmalloc_info_show() should allocate the heap.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38383"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-25T13:15:27Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmalloc: fix data race in show_numa_info()\n\nThe following data-race was found in show_numa_info():\n\n==================================================================\nBUG: KCSAN: data-race in vmalloc_info_show / vmalloc_info_show\n\nread to 0xffff88800971fe30 of 4 bytes by task 8289 on cpu 0:\n show_numa_info mm/vmalloc.c:4936 [inline]\n vmalloc_info_show+0x5a8/0x7e0 mm/vmalloc.c:5016\n seq_read_iter+0x373/0xb40 fs/seq_file.c:230\n proc_reg_read_iter+0x11e/0x170 fs/proc/inode.c:299\n....\n\nwrite to 0xffff88800971fe30 of 4 bytes by task 8287 on cpu 1:\n show_numa_info mm/vmalloc.c:4934 [inline]\n vmalloc_info_show+0x38f/0x7e0 mm/vmalloc.c:5016\n seq_read_iter+0x373/0xb40 fs/seq_file.c:230\n proc_reg_read_iter+0x11e/0x170 fs/proc/inode.c:299\n....\n\nvalue changed: 0x0000008f -\u003e 0x00000000\n==================================================================\n\nAccording to this report,there is a read/write data-race because\nm-\u003eprivate is accessible to multiple CPUs.  To fix this, instead of\nallocating the heap in proc_vmalloc_init() and passing the heap address to\nm-\u003eprivate, vmalloc_info_show() should allocate the heap.",
  "id": "GHSA-pqhv-fc7x-qjmr",
  "modified": "2025-11-19T21:31:16Z",
  "published": "2025-07-25T15:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38383"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5c5f0468d172ddec2e333d738d2a1f85402cf0bc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5c966f447a584ece3c70395898231aeb56256ee7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ead91de35d9cd5c4f80ec51e6020f342079170af"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQQP-XMHJ-WGCW

Vulnerability from github – Published: 2021-08-25 21:01 – Updated: 2022-08-10 23:46
VLAI
Summary
crossbeam-deque Data Race before v0.7.4 and v0.8.1
Details

Impact

In the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug.

Crates using Stealer::steal, Stealer::steal_batch, or Stealer::steal_batch_and_pop are affected by this issue.

Patches

This has been fixed in crossbeam-deque 0.8.1 and 0.7.4.

Credits

This issue was reported and fixed by Maor Kleinberger.

License

This advisory is in the public domain.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "crossbeam-deque"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "crossbeam-deque"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.0"
            },
            {
              "fixed": "0.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32810"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-02T22:34:26Z",
    "nvd_published_at": "2021-08-02T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nIn the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug.\n\nCrates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue.\n\n### Patches\n\nThis has been fixed in crossbeam-deque 0.8.1 and 0.7.4.\n\n### Credits\n\nThis issue was reported and fixed by Maor Kleinberger.\n\n### License\n\nThis advisory is in the public domain.",
  "id": "GHSA-pqqp-xmhj-wgcw",
  "modified": "2022-08-10T23:46:42Z",
  "published": "2021-08-25T21:01:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32810"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2021-0093.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQDIBB7VR3ER52FMSMNJPAWNDO5SITCE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFBZWCLG7AGLJO4A7K5IMJVPLSWZ5TJP"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WGB2H35CTZDHOV3VLC5BM6VFGURLLVRP"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VQZIEJQBV3S72BHD5GKJQF3NVYNRV5CF"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3LSN3B43TJSFIOB3QLPBI3RCHRU5BLO"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TFUBWBYCPSSXTJGEAQ67CJUNQJBOCM26"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RRPKBRXCRNGNMVFQPFD4LM3QKPEMBQQR"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCLMH7B7B2MF55ET4NQNPH7JWISFX4RT"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LCIBFGBSL3JSVJQTNEDEIMZGZF23N2KE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EW5B2VTDVMJ6B3DA4VLMAMW2GGDCE2BK"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CY5T3FCE4MUYSPKEWICLVJBBODGJ6SZE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AYBSLIYFANZLCYWOGTIYZUM26TJRH7WU"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AWHNNBJCU4EHA2X5ZAMJMGLDUYS5FEPP"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EZILHZDRGDPOBQ4KTW3E5PPMKLHGH5N"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/crossbeam-rs/crossbeam"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "crossbeam-deque Data Race before v0.7.4 and v0.8.1"
}

GHSA-PQQQ-6XH6-422F

Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2024-04-04 01:34
VLAI
Details

cPanel before 58.0.4 allows a file-ownership change (to nobody) via rearrangeacct (SEC-134).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-10798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-07T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "cPanel before 58.0.4 allows a file-ownership change (to nobody) via rearrangeacct (SEC-134).",
  "id": "GHSA-pqqq-6xh6-422f",
  "modified": "2024-04-04T01:34:18Z",
  "published": "2022-05-24T16:52:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10798"
    },
    {
      "type": "WEB",
      "url": "https://documentation.cpanel.net/display/CL/58+Change+Log"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQQQ-8453-MPH5

Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2022-05-13 01:06
VLAI
Details

The svpn component of the F5 BIG-IP APM client prior to version 7.1.7.2 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host in a race condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15332"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-06T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "The svpn component of the F5 BIG-IP APM client prior to version 7.1.7.2 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host in a race condition.",
  "id": "GHSA-pqqq-8453-mph5",
  "modified": "2022-05-13T01:06:29Z",
  "published": "2022-05-13T01:06:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15332"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K12130880"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106135"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQQV-8XRG-2JG9

Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2024-11-06 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

cxl/port: Fix delete_endpoint() vs parent unregistration race

The CXL subsystem, at cxl_mem ->probe() time, establishes a lineage of ports (struct cxl_port objects) between an endpoint and the root of a CXL topology. Each port including the endpoint port is attached to the cxl_port driver.

Given that setup, it follows that when either any port in that lineage goes through a cxl_port ->remove() event, or the memdev goes through a cxl_mem ->remove() event. The hierarchy below the removed port, or the entire hierarchy if the memdev is removed needs to come down.

The delete_endpoint() callback is careful to check whether it is being called to tear down the hierarchy, or if it is only being called to teardown the memdev because an ancestor port is going through ->remove().

That care needs to take the device_lock() of the endpoint's parent. Which requires 2 bugs to be fixed:

1/ A reference on the parent is needed to prevent use-after-free scenarios like this signature:

BUG: spinlock bad magic on CPU#0, kworker/u56:0/11
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc38 05/24/2023
Workqueue: cxl_port detach_memdev [cxl_core]
RIP: 0010:spin_bug+0x65/0xa0
Call Trace:
  do_raw_spin_lock+0x69/0xa0
 __mutex_lock+0x695/0xb80
 delete_endpoint+0xad/0x150 [cxl_core]
 devres_release_all+0xb8/0x110
 device_unbind_cleanup+0xe/0x70
 device_release_driver_internal+0x1d2/0x210
 detach_memdev+0x15/0x20 [cxl_core]
 process_one_work+0x1e3/0x4c0
 worker_thread+0x1dd/0x3d0

2/ In the case of RCH topologies, the parent device that needs to be locked is not always @port->dev as returned by cxl_mem_find_port(), use endpoint->dev.parent instead.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52771"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T16:15:16Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/port: Fix delete_endpoint() vs parent unregistration race\n\nThe CXL subsystem, at cxl_mem -\u003eprobe() time, establishes a lineage of\nports (struct cxl_port objects) between an endpoint and the root of a\nCXL topology. Each port including the endpoint port is attached to the\ncxl_port driver.\n\nGiven that setup, it follows that when either any port in that lineage\ngoes through a cxl_port -\u003eremove() event, or the memdev goes through a\ncxl_mem -\u003eremove() event. The hierarchy below the removed port, or the\nentire hierarchy if the memdev is removed needs to come down.\n\nThe delete_endpoint() callback is careful to check whether it is being\ncalled to tear down the hierarchy, or if it is only being called to\nteardown the memdev because an ancestor port is going through\n-\u003eremove().\n\nThat care needs to take the device_lock() of the endpoint\u0027s parent.\nWhich requires 2 bugs to be fixed:\n\n1/ A reference on the parent is needed to prevent use-after-free\n   scenarios like this signature:\n\n    BUG: spinlock bad magic on CPU#0, kworker/u56:0/11\n    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc38 05/24/2023\n    Workqueue: cxl_port detach_memdev [cxl_core]\n    RIP: 0010:spin_bug+0x65/0xa0\n    Call Trace:\n      do_raw_spin_lock+0x69/0xa0\n     __mutex_lock+0x695/0xb80\n     delete_endpoint+0xad/0x150 [cxl_core]\n     devres_release_all+0xb8/0x110\n     device_unbind_cleanup+0xe/0x70\n     device_release_driver_internal+0x1d2/0x210\n     detach_memdev+0x15/0x20 [cxl_core]\n     process_one_work+0x1e3/0x4c0\n     worker_thread+0x1dd/0x3d0\n\n2/ In the case of RCH topologies, the parent device that needs to be\n   locked is not always @port-\u003edev as returned by cxl_mem_find_port(), use\n   endpoint-\u003edev.parent instead.",
  "id": "GHSA-pqqv-8xrg-2jg9",
  "modified": "2024-11-06T00:31:53Z",
  "published": "2024-05-21T18:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52771"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/37179fcc916bce8c3cc7b36d67ef814cce55142b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6b2e428e673b3f55965674a426c40922e91388aa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8d2ad999ca3c64cb08cf6a58d227b9d9e746d708"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQRJ-9MQ3-J4H7

Vulnerability from github – Published: 2022-05-24 17:11 – Updated: 2024-04-04 02:49
VLAI
Details

An issue was discovered in Janus through 0.9.1. janus.c has multiple concurrent threads that misuse the source property of a session, leading to a race condition when claiming sessions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-10577"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-14T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Janus through 0.9.1. janus.c has multiple concurrent threads that misuse the source property of a session, leading to a race condition when claiming sessions.",
  "id": "GHSA-pqrj-9mq3-j4h7",
  "modified": "2024-04-04T02:49:24Z",
  "published": "2022-05-24T17:11:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10577"
    },
    {
      "type": "WEB",
      "url": "https://github.com/meetecho/janus-gateway/pull/1990"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.

Mitigation
Architecture and Design

Use thread-safe capabilities such as the data access abstraction in Spring.

Mitigation
Architecture and Design
  • Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
  • Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
Implementation

When using multithreading and operating on shared variables, only use thread-safe functions.

Mitigation
Implementation

Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.

Mitigation
Implementation

Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.

Mitigation
Implementation

Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.

Mitigation
Implementation

Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.

Mitigation
Implementation

Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.