Headline
CVE-2022-41848: [PATCH v5] char: pcmcia: synclink_cs: Fix use-after-free in mgslpc_ops
drivers/char/pcmcia/synclink_cs.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling ioctl, aka a race condition between mgslpc_ioctl and mgslpc_detach.
* [PATCH v5] char: pcmcia: synclink_cs: Fix use-after-free in mgslpc_ops @ 2022-09-19 4:02 Hyunwoo Kim 2022-09-19 5:51 ` Arnd Bergmann 0 siblings, 1 reply; 2+ messages in thread From: Hyunwoo Kim @ 2022-09-19 4:02 UTC (permalink / raw) To: arnd, gregkh; +Cc: linux-kernel, imv4bel, ilpo.jarvinen, paulkf, linux
A race condition may occur if the user physically removes the pcmcia device while calling ioctl() for this tty device node.
This is a race condition between the mgslpc_ioctl() function and the mgslpc_detach() function, which may eventually result in UAF.
So, add a refcount check to mgslpc_detach() to free the structure after the tty device node is close()d.
Signed-off-by: Hyunwoo Kim [email protected]
drivers/char/pcmcia/synclink_cs.c | 35 ++++++++++++++++++++++++±----- 1 file changed, 29 insertions(+), 6 deletions(-)
diff --git a/drivers/char/pcmcia/synclink_cs.c b/drivers/char/pcmcia/synclink_cs.c index 8fc49b038372…0dfba8833a67 100644 — a/drivers/char/pcmcia/synclink_cs.c +++ b/drivers/char/pcmcia/synclink_cs.c @@ -216,7 +216,8 @@ typedef struct _mgslpc_info {
/\* PCMCIA support \*/
struct pcmcia\_device \*p\_dev;
- int stop;
int stop;
struct kref refcnt;
/* SPPP/Cisco HDLC device parts */ int netcount; @@ -228,6 +229,8 @@ typedef struct _mgslpc_info {
} MGSLPC_INFO;
+static DEFINE_MUTEX(remove_mutex);
#define MGSLPC_MAGIC 0x5402
/* @@ -468,10 +471,21 @@ static void mgslpc_wait_until_sent(struct tty_struct *tty, int timeout);
/* PCMCIA prototypes */
+static void mgslpc_delete(struct kref *kref); static int mgslpc_config(struct pcmcia_device *link); static void mgslpc_release(u_long arg); static void mgslpc_detach(struct pcmcia_device *p_dev);
+static void mgslpc_delete(struct kref *kref) +{
- MGSLPC_INFO *info = container_of(kref, MGSLPC_INFO, refcnt);
- struct pcmcia_device *link = info->p_dev;
- mgslpc_release((u_long)link);
- mgslpc_remove_device(info); +}
/* * 1st function defined in .text section. Calling this function in * init_module() followed by a breakpoint allows a remote debugger @@ -534,6 +548,7 @@ static int mgslpc_probe(struct pcmcia_device *link) init_waitqueue_head(&info->event_wait_q); spin_lock_init(&info->lock); spin_lock_init(&info->netlock);
- kref_init(&info->refcnt); memcpy(&info->params,&default_params,sizeof(MGSL_PARAMS)); info->idle_mode = HDLC_TXIDLE_FLAGS; info->imra_value = 0xffff; @@ -620,13 +635,15 @@ static void mgslpc_release(u_long arg)
static void mgslpc_detach(struct pcmcia_device *link) {
- MGSLPC_INFO *info = link->priv;
- mutex_lock(&remove_mutex); if (debug_level >= DEBUG_LEVEL_INFO) printk("mgslpc_detach(0x%p)\n", link);
- ((MGSLPC_INFO *)link->priv)->stop = 1;
- mgslpc_release((u_long)link);
- mgslpc_remove_device((MGSLPC_INFO *)link->priv);
- info->stop = 1;
- kref_put(&info->refcnt, mgslpc_delete);
- mutex_unlock(&remove_mutex); }
static int mgslpc_suspend(struct pcmcia_device *link) @@ -2341,10 +2358,13 @@ static void mgslpc_close(struct tty_struct *tty, struct file * filp)
tty\_port\_close\_end(port, tty);
tty\_port\_tty\_set(port, NULL);
cleanup: if (debug_level >= DEBUG_LEVEL_INFO) printk("%s(%d):mgslpc_close(%s) exit, count=%d\n", __FILE__, __LINE__, tty->driver->name, port->count);
- kref_put(&info->refcnt, mgslpc_delete); }
/* Wait until the transmitter is empty. @@ -2465,6 +2485,8 @@ static int mgslpc_open(struct tty_struct *tty, struct file * filp) int retval, line; unsigned long flags;
mutex_lock(&remove_mutex);
/* verify range of specified line number */ line = tty->index; if (line >= mgslpc_device_count) { @@ -2517,9 +2539,10 @@ static int mgslpc_open(struct tty_struct *tty, struct file * filp) if (debug_level >= DEBUG_LEVEL_INFO) printk("%s(%d):mgslpc_open(%s) success\n", __FILE__, __LINE__, info->device_name); - retval = 0;
kref_get(&info->refcnt); cleanup:
mutex_unlock(&remove_mutex); return retval; }
– 2.25.1
Dear,
I fixed the wrong patch referencing “info” after kref_put() in the previous version of the patch.
Regards, Hyunwoo Kim.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH v5] char: pcmcia: synclink_cs: Fix use-after-free in mgslpc_ops 2022-09-19 4:02 [PATCH v5] char: pcmcia: synclink_cs: Fix use-after-free in mgslpc_ops Hyunwoo Kim @ 2022-09-19 5:51 ` Arnd Bergmann 0 siblings, 0 replies; 2+ messages in thread From: Arnd Bergmann @ 2022-09-19 5:51 UTC (permalink / raw) To: Hyunwoo Kim, Greg Kroah-Hartman Cc: linux-kernel, Ilpo Järvinen, Paul Fulghum, Dominik Brodowski
On Mon, Sep 19, 2022, at 6:02 AM, Hyunwoo Kim wrote: > A race condition may occur if the user physically removes
the pcmcia device while calling ioctl() for this tty device node.
This is a race condition between the mgslpc_ioctl() function and the mgslpc_detach() function, which may eventually result in UAF.
So, add a refcount check to mgslpc_detach() to free the structure after the tty device node is close()d.
Signed-off-by: Hyunwoo Kim [email protected] Reviewed-by: Arnd Bergmann [email protected]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-09-19 5:52 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed) – links below jump to the message on this page – 2022-09-19 4:02 [PATCH v5] char: pcmcia: synclink_cs: Fix use-after-free in mgslpc_ops Hyunwoo Kim 2022-09-19 5:51 ` Arnd Bergmann
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).
Related news
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.