From 6d14a378c3d8d152186e9a951fa535c4229735ad Mon Sep 17 00:00:00 2001 From: Admin Pupkin Date: Tue, 2 Jun 2026 09:22:47 +0300 Subject: [PATCH] coretempd: disable MSR fallback, use /scheme/sys/cpu exclusively Kernel has a use-after-free bug in sys_read triggered by /scheme/sys/msr access. The probe guard prevents most crashes but the kernel bug can still trigger during MSR read paths. Removing the MSR fallback eliminates this crash path entirely. Vendor detection now uses /scheme/sys/cpu only. --- config/redbear-full.toml | 12 ++++++++++++ local/recipes/system/coretempd/source/src/main.rs | 11 +++-------- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/config/redbear-full.toml b/config/redbear-full.toml index ad4f0ff671..d5da843011 100644 --- a/config/redbear-full.toml +++ b/config/redbear-full.toml @@ -633,3 +633,15 @@ path = "/etc/environment.d/90-dbus.conf" data = """ DBUS_SYSTEM_BUS_ADDRESS=unix:path=/run/dbus/system_bus_socket """ + +[[files]] +path = "/home/user" +data = "" +directory = true +mode = 0o755 + +[[files]] +path = "/root" +data = "" +directory = true +mode = 0o700 diff --git a/local/recipes/system/coretempd/source/src/main.rs b/local/recipes/system/coretempd/source/src/main.rs index 69f2b8dbf0..c92117eaa4 100644 --- a/local/recipes/system/coretempd/source/src/main.rs +++ b/local/recipes/system/coretempd/source/src/main.rs @@ -63,14 +63,9 @@ fn detect_vendor(cpu: u32) -> Vendor { return Vendor::Amd; } } - // Fall back to MSR probing if platform info unavailable - if read_msr(cpu, IA32_THERM_STATUS).is_some() { - Vendor::Intel - } else if read_msr(cpu, AMD_TCTL).is_some() { - Vendor::Amd - } else { - Vendor::Unknown - } + // MSR probing disabled: even with the probe guard, the kernel can UAF + // during sys_read on /scheme/sys/msr. Use /scheme/sys/cpu exclusively. + Vendor::Unknown } fn detect_cpus() -> Vec {