Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-35826: fix use after free bug in cedrus_remove due to race condition

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in cedrus_remove in drivers/staging/media/sunxi/cedrus/cedrus.c.

CVE
#linux#git

* [PATCH] media: cedrus: fix use after free bug in cedrus_remove due to race condition @ 2023-03-08 3:23 Zheng Wang 0 siblings, 0 replies; only message in thread From: Zheng Wang @ 2023-03-08 3:23 UTC (permalink / raw) To: mchehab Cc: wens, jernej.skrabec, samuel, linux-media, linux-staging, linux-arm-kernel, linux-sunxi, linux-kernel, hackerzheng666, 1395428693sheep, alex000young, Zheng Wang

In cedrus_probe, dev->watchdog_work is bound with cedrus_watchdog function. In cedrus_device_run, it will started by schedule_delayed_work. If there is unfinished work in cedrus_remove, there may be a race condition and trigger UAF bug.

CPU0 CPU1

                |cedrus\_watchdog

cedrus_remove | v4l2_m2m_release | kfree(m2m_dev) | | | v4l2_m2m_get_curr_priv | m2m_dev //use

Fix it by canceling the worker in cedrus_remove.

Signed-off-by: Zheng Wang [email protected]

drivers/staging/media/sunxi/cedrus/cedrus.c | 2 ± 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/media/sunxi/cedrus/cedrus.c b/drivers/staging/media/sunxi/cedrus/cedrus.c index a43d5ff66716…c95d011c0817 100644 — a/drivers/staging/media/sunxi/cedrus/cedrus.c +++ b/drivers/staging/media/sunxi/cedrus/cedrus.c @@ -546,7 +546,7 @@ static int cedrus_probe(struct platform_device *pdev) static int cedrus_remove(struct platform_device *pdev) { struct cedrus_dev *dev = platform_get_drvdata(pdev); -

  • cancel_delayed_work(&dev->watchdog_work); if (media_devnode_is_registered(dev->mdev.devnode)) { media_device_unregister(&dev->mdev); v4l2_m2m_unregister_media_controller(dev->m2m_dev); – 2.25.1

_______________________________________________ linux-arm-kernel mailing list [email protected] http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply related [flat|nested] only message in thread

only message in thread, other threads:[~2023-03-08 3:24 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed) – links below jump to the message on this page – 2023-03-08 3:23 [PATCH] media: cedrus: fix use after free bug in cedrus_remove due to race condition Zheng Wang

This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).

Related news

Ubuntu Security Notice USN-6283-1

Ubuntu Security Notice 6283-1 - Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service. Zheng Zhang discovered that the device-mapper implementation in the Linux kernel did not properly handle locking during table_clear operations. A local attacker could use this to cause a denial of service.

CVE-2023-35826

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in cedrus_remove in drivers/staging/media/sunxi/cedrus/cedrus.c.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907