Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-23039: LKML: Yoochan Lee: [PATCH] drivers: tty: vcc: Fix use-after-free in vcc_open()

An issue was discovered in the Linux kernel through 6.2.0-rc2. drivers/tty/vcc.c has a race condition and resultant use-after-free if a physically proximate attacker removes a VCC device while calling open(), aka a race condition between vcc_open() and vcc_remove().

CVE
#ios#linux#git

This bug assumes that the hacker can physically access the
target computer.

A race condition may occur if the user physically removes the
vcc device while calling open().

This is a race condition between vcc_open() function and
the vcc_remove() function, which may lead to Use-After-Free.

Therefore, add a refcount check to vcc_remove() function
to free the “vcc_port” structure after the device is close()d.

---------------CPU 0--------------------CPU 1-----------------
vcc_open() | vcc_remove()
--------------------------------------------------------------
port = vcc_get_ne(tty-> |
index); — (1) |
| struct vcc_port *port =
| dev_get_drvdata(&vdev->dev);
| …
| kfree(port); — (2)
vccdbgl(port->vio.lp); — (3) |

This type of race condition is similar with CVE-2022-44032,
CVE-2022-44033, and CVE-2022-44034.

drivers/tty/vcc.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)

diff --git a/drivers/tty/vcc.c b/drivers/tty/vcc.c
index 34ba6e54789a…31f274c4aa25 100644
— a/drivers/tty/vcc.c
+++ b/drivers/tty/vcc.c
@@ -41,6 +41,8 @@ struct vcc_port {

struct timer_list rx_timer;
struct timer_list tx_timer;
+ struct vio_dev *vdev;
+ struct kref refcnt;
};

/* Microseconds that thread will delay waiting for a vcc port ref */
@@ -104,6 +106,7 @@ static const struct ktermios vcc_tty_termios = {
.c_ospeed = 38400
};

+static void vcc_delete(struct kref *kref);
/**
* vcc_table_add() - Add VCC port to the VCC table
* @port: pointer to the VCC port
@@ -586,6 +589,8 @@ static int vcc_probe(struct vio_dev *vdev, const struct vio_device_id *id)
goto free_port;

port->vio.debug = vcc_dbg_vio;
+ port->vdev = vdev;
+ kref_init(&port->refcnt);
vcc_ldc_cfg.debug = vcc_dbg_ldc;

rv = vio_ldc_alloc(&port->vio, &vcc_ldc_cfg, port);
@@ -673,6 +678,14 @@ static void vcc_remove(struct vio_dev *vdev)
{
struct vcc_port *port = dev_get_drvdata(&vdev->dev);

+ kref_put(&port->refcnt, vcc_delete);
+}

+static void vcc_delete(struct kref *kref)
+{
+ struct vcc_port *port = container_of(kref, struct vcc_port, refcnt);
+ struct viod_dev *vdev = port->vdev;

del_timer_sync(&port->rx_timer);
del_timer_sync(&port->tx_timer);

@@ -752,12 +765,15 @@ static int vcc_open(struct tty_struct *tty, struct file *vcc_file)
pr_err(“VCC: open: TTY ops not defined\n”);
return -ENXIO;
}
+ kref_get(&port->refcnt);

return tty_port_open(tty->port, tty, vcc_file);
}

static void vcc_close(struct tty_struct *tty, struct file *vcc_file)
{
+ struct vcc_port *port = vcc_get_ne(tty->index);

if (unlikely(tty->count > 1))
return;

@@ -767,6 +783,8 @@ static void vcc_close(struct tty_struct *tty, struct file *vcc_file)
}

tty_port_close(tty->port, tty, vcc_file);

+ kref_put(&port->refcnt, vcc_delete);
}

static void vcc_ldc_hup(struct vcc_port *port)

2.39.0

Related news

CVE-2022-44032: Re: [PATCH] pcmcia: synclink_cs: Fix use-after-free in mgslpc_ioctl()

An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4000_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cmm_open() and cm4000_detach().

CVE-2022-44033: [PATCH v3] char: pcmcia: cm4040_cs: Fix use-after-free in reader_fops

An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().

CVE-2022-44034: [PATCH v5] char: pcmcia: scr24x_cs: Fix use-after-free in scr24x_fops

An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/scr24x_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between scr24x_open() and scr24x_remove().

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907