Headline
CVE-2023-35826: fix use after free bug in cedrus_remove due to race condition
An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in cedrus_remove in drivers/staging/media/sunxi/cedrus/cedrus.c.
* [PATCH] media: cedrus: fix use after free bug in cedrus_remove due to race condition @ 2023-03-08 3:23 Zheng Wang 0 siblings, 0 replies; only message in thread From: Zheng Wang @ 2023-03-08 3:23 UTC (permalink / raw) To: mchehab Cc: wens, jernej.skrabec, samuel, linux-media, linux-staging, linux-arm-kernel, linux-sunxi, linux-kernel, hackerzheng666, 1395428693sheep, alex000young, Zheng Wang
In cedrus_probe, dev->watchdog_work is bound with cedrus_watchdog function. In cedrus_device_run, it will started by schedule_delayed_work. If there is unfinished work in cedrus_remove, there may be a race condition and trigger UAF bug.
CPU0 CPU1
|cedrus\_watchdog
cedrus_remove | v4l2_m2m_release | kfree(m2m_dev) | | | v4l2_m2m_get_curr_priv | m2m_dev //use
Fix it by canceling the worker in cedrus_remove.
Signed-off-by: Zheng Wang [email protected]
drivers/staging/media/sunxi/cedrus/cedrus.c | 2 ± 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/media/sunxi/cedrus/cedrus.c b/drivers/staging/media/sunxi/cedrus/cedrus.c index a43d5ff66716…c95d011c0817 100644 — a/drivers/staging/media/sunxi/cedrus/cedrus.c +++ b/drivers/staging/media/sunxi/cedrus/cedrus.c @@ -546,7 +546,7 @@ static int cedrus_probe(struct platform_device *pdev) static int cedrus_remove(struct platform_device *pdev) { struct cedrus_dev *dev = platform_get_drvdata(pdev); -
- cancel_delayed_work(&dev->watchdog_work); if (media_devnode_is_registered(dev->mdev.devnode)) { media_device_unregister(&dev->mdev); v4l2_m2m_unregister_media_controller(dev->m2m_dev); – 2.25.1
_______________________________________________ linux-arm-kernel mailing list [email protected] http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2023-03-08 3:24 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed) – links below jump to the message on this page – 2023-03-08 3:23 [PATCH] media: cedrus: fix use after free bug in cedrus_remove due to race condition Zheng Wang
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).
Related news
Ubuntu Security Notice 6283-1 - Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service. Zheng Zhang discovered that the device-mapper implementation in the Linux kernel did not properly handle locking during table_clear operations. A local attacker could use this to cause a denial of service.
An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in cedrus_remove in drivers/staging/media/sunxi/cedrus/cedrus.c.