Headline
CVE-2022-45919: Fix use-after-free due to race condition occurring in dvb_ca_en50221
An issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event.
* [PATCH] media: dvb-core: Fix use-after-free due to race condition occurring in dvb_ca_en50221 @ 2022-11-21 6:33 Hyunwoo Kim 0 siblings, 0 replies; only message in thread From: Hyunwoo Kim @ 2022-11-21 6:33 UTC (permalink / raw) To: mchehab; +Cc: linux-media, linux-usb, tiwai, v4bel
If the device node of dvb_ca_en50221 is open() and the device is disconnected, a UAF may occur when calling close() on the device node.
The root cause is that wake_up() and wait_event() for dvbdev->wait_queue are not implemented.
So implement wait_event() function in dvb_ca_en50221_release() and add ‘remove_mutex’ which prevents race condition for 'ca->exit’.
Signed-off-by: Hyunwoo Kim [email protected]
drivers/media/dvb-core/dvb_ca_en50221.c | 36 +++++++++++++++++++++++± 1 file changed, 35 insertions(+), 1 deletion(-)
diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c index 15a08d8c69ef…60133a315701 100644 — a/drivers/media/dvb-core/dvb_ca_en50221.c +++ b/drivers/media/dvb-core/dvb_ca_en50221.c @@ -151,6 +151,12 @@ struct dvb_ca_private {
/\* mutex serializing ioctls \*/
struct mutex ioctl\_mutex;
- /* A mutex used when a device is disconnected */
- struct mutex remove_mutex;
- /* Whether the device is disconnected */
- int exit; };
static void dvb_ca_private_free(struct dvb_ca_private *ca) @@ -1709,12 +1715,22 @@ static int dvb_ca_en50221_io_open(struct inode *inode, struct file *file)
dprintk("%s\\n", \_\_func\_\_);
- if (!try_module_get(ca->pub->owner))
mutex_lock(&ca->remove_mutex);
if (ca->exit) {
mutex\_unlock(&ca->remove\_mutex);return -ENODEV;}
if (!try_module_get(ca->pub->owner)) {
mutex\_unlock(&ca->remove\_mutex); return -EIO;}
err = dvb_generic_open(inode, file); if (err < 0) { module_put(ca->pub->owner);
mutex\_unlock(&ca->remove\_mutex); return err;}
@@ -1739,6 +1755,7 @@ static int dvb_ca_en50221_io_open(struct inode *inode, struct file *file)
dvb\_ca\_private\_get(ca);
- mutex_unlock(&ca->remove_mutex); return 0; }
@@ -1758,6 +1775,8 @@ static int dvb_ca_en50221_io_release(struct inode *inode, struct file *file)
dprintk("%s\\n", \_\_func\_\_);
mutex_lock(&ca->remove_mutex);
/* mark the CA device as closed */ ca->open = 0; dvb_ca_en50221_thread_update_delay(ca); @@ -1768,6 +1787,12 @@ static int dvb_ca_en50221_io_release(struct inode *inode, struct file *file)
dvb_ca_private_put(ca);
if (dvbdev->users == 1 && ca->exit == 1) {
mutex\_unlock(&ca->remove\_mutex);wake\_up(&dvbdev->wait\_queue);} else
mutex\_unlock(&ca->remove\_mutex);return err; }
@@ -1891,6 +1916,7 @@ int dvb_ca_en50221_init(struct dvb_adapter *dvb_adapter, }
mutex\_init(&ca->ioctl\_mutex);
mutex_init(&ca->remove_mutex);
if (signal_pending(current)) { ret = -EINTR; @@ -1933,6 +1959,14 @@ void dvb_ca_en50221_release(struct dvb_ca_en50221 *pubca)
dprintk("%s\n", __func__);
mutex_lock(&ca->remove_mutex);
ca->exit = 1;
mutex_unlock(&ca->remove_mutex);
if (ca->dvbdev->users < 1)
wait\_event(ca->dvbdev->wait\_queue,ca->dvbdev->users == 1);/* shutdown the thread if there was one */ kthread_stop(ca->thread);
– 2.25.1
Dear,
A UAF can occur in a flow like the one below: ``` cpu0 cpu1 1. dvb_usbv2_probe() d->priv = kzalloc(d->props->size_of_priv, GFP_KERNEL); … dvb_usbv2_init() anysee_init() anysee_ci_init() dvb_ca_en50221_init() ca->pub = pubca; // pubca : &state->ci, state : d->priv 2. open() dvb_device_open() dvb_ca_en50221_io_open() 3. dvb_usbv2_disconnect() kfree(d->priv); 4. close() dvb_ca_en50221_io_release() module_put(ca->pub->owner); // UAF ```
Regards, Hyunwoo Kim
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-11-21 6:33 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed) – links below jump to the message on this page – 2022-11-21 6:33 [PATCH] media: dvb-core: Fix use-after-free due to race condition occurring in dvb_ca_en50221 Hyunwoo Kim
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).
Related news
Red Hat Security Advisory 2023-7549-01 - An update for kernel is now available for Red Hat Enterprise Linux 8. Issues addressed include a use-after-free vulnerability.
Red Hat Security Advisory 2023-7548-01 - An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Issues addressed include a use-after-free vulnerability.
Red Hat Security Advisory 2023-7539-01 - An update for kernel is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a use-after-free vulnerability.
Ubuntu Security Notice 6466-1 - Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel contained a race condition during device removal, leading to a use-after- free vulnerability. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. Hyunwoo Kim discovered that the Technotrend/Hauppauge USB DEC driver in the Linux kernel did not properly handle device removal events. A physically proximate attacker could use this to cause a denial of service.
Ubuntu Security Notice 6412-1 - Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel contained a race condition during device removal, leading to a use-after- free vulnerability. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. Hyunwoo Kim discovered that the Technotrend/Hauppauge USB DEC driver in the Linux kernel did not properly handle device removal events. A physically proximate attacker could use this to cause a denial of service.