Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-45919: Fix use-after-free due to race condition occurring in dvb_ca_en50221

An issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event.

CVE
#linux#git#ssl

* [PATCH] media: dvb-core: Fix use-after-free due to race condition occurring in dvb_ca_en50221 @ 2022-11-21 6:33 Hyunwoo Kim 0 siblings, 0 replies; only message in thread From: Hyunwoo Kim @ 2022-11-21 6:33 UTC (permalink / raw) To: mchehab; +Cc: linux-media, linux-usb, tiwai, v4bel

If the device node of dvb_ca_en50221 is open() and the device is disconnected, a UAF may occur when calling close() on the device node.

The root cause is that wake_up() and wait_event() for dvbdev->wait_queue are not implemented.

So implement wait_event() function in dvb_ca_en50221_release() and add ‘remove_mutex’ which prevents race condition for 'ca->exit’.

Signed-off-by: Hyunwoo Kim [email protected]

drivers/media/dvb-core/dvb_ca_en50221.c | 36 +++++++++++++++++++++++± 1 file changed, 35 insertions(+), 1 deletion(-)

diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c index 15a08d8c69ef…60133a315701 100644 — a/drivers/media/dvb-core/dvb_ca_en50221.c +++ b/drivers/media/dvb-core/dvb_ca_en50221.c @@ -151,6 +151,12 @@ struct dvb_ca_private {

/\* mutex serializing ioctls \*/
struct mutex ioctl\_mutex;
  • /* A mutex used when a device is disconnected */
  • struct mutex remove_mutex;
  • /* Whether the device is disconnected */
  • int exit; };

static void dvb_ca_private_free(struct dvb_ca_private *ca) @@ -1709,12 +1715,22 @@ static int dvb_ca_en50221_io_open(struct inode *inode, struct file *file)

dprintk("%s\\n", \_\_func\_\_);

- if (!try_module_get(ca->pub->owner))

  • mutex_lock(&ca->remove_mutex);

  • if (ca->exit) {

  •   mutex\_unlock(&ca->remove\_mutex);
    
  •   return -ENODEV;
    
  • }

  • if (!try_module_get(ca->pub->owner)) {

  •   mutex\_unlock(&ca->remove\_mutex);
      return -EIO;
    
  • }

    err = dvb_generic_open(inode, file); if (err < 0) { module_put(ca->pub->owner);

  •   mutex\_unlock(&ca->remove\_mutex);
      return err;
    

    }

@@ -1739,6 +1755,7 @@ static int dvb_ca_en50221_io_open(struct inode *inode, struct file *file)

dvb\_ca\_private\_get(ca);
  • mutex_unlock(&ca->remove_mutex); return 0; }

@@ -1758,6 +1775,8 @@ static int dvb_ca_en50221_io_release(struct inode *inode, struct file *file)

dprintk("%s\\n", \_\_func\_\_);
  • mutex_lock(&ca->remove_mutex);

  • /* mark the CA device as closed */ ca->open = 0; dvb_ca_en50221_thread_update_delay(ca); @@ -1768,6 +1787,12 @@ static int dvb_ca_en50221_io_release(struct inode *inode, struct file *file)

    dvb_ca_private_put(ca);

  • if (dvbdev->users == 1 && ca->exit == 1) {

  •   mutex\_unlock(&ca->remove\_mutex);
    
  •   wake\_up(&dvbdev->wait\_queue);
    
  • } else

  •   mutex\_unlock(&ca->remove\_mutex);
    
  • return err; }

@@ -1891,6 +1916,7 @@ int dvb_ca_en50221_init(struct dvb_adapter *dvb_adapter, }

mutex\_init(&ca->ioctl\_mutex);
  • mutex_init(&ca->remove_mutex);

    if (signal_pending(current)) { ret = -EINTR; @@ -1933,6 +1959,14 @@ void dvb_ca_en50221_release(struct dvb_ca_en50221 *pubca)

    dprintk("%s\n", __func__);

  • mutex_lock(&ca->remove_mutex);

  • ca->exit = 1;

  • mutex_unlock(&ca->remove_mutex);

  • if (ca->dvbdev->users < 1)

  •   wait\_event(ca->dvbdev->wait\_queue,
    
  •           ca->dvbdev->users == 1);
    
  • /* shutdown the thread if there was one */ kthread_stop(ca->thread);

– 2.25.1

Dear,

A UAF can occur in a flow like the one below: ``` cpu0 cpu1 1. dvb_usbv2_probe() d->priv = kzalloc(d->props->size_of_priv, GFP_KERNEL); … dvb_usbv2_init() anysee_init() anysee_ci_init() dvb_ca_en50221_init() ca->pub = pubca; // pubca : &state->ci, state : d->priv 2. open() dvb_device_open() dvb_ca_en50221_io_open() 3. dvb_usbv2_disconnect() kfree(d->priv); 4. close() dvb_ca_en50221_io_release() module_put(ca->pub->owner); // UAF ```

Regards, Hyunwoo Kim

^ permalink raw reply related [flat|nested] only message in thread

only message in thread, other threads:[~2022-11-21 6:33 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed) – links below jump to the message on this page – 2022-11-21 6:33 [PATCH] media: dvb-core: Fix use-after-free due to race condition occurring in dvb_ca_en50221 Hyunwoo Kim

This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).

Related news

Red Hat Security Advisory 2023-7549-01

Red Hat Security Advisory 2023-7549-01 - An update for kernel is now available for Red Hat Enterprise Linux 8. Issues addressed include a use-after-free vulnerability.

Red Hat Security Advisory 2023-7548-01

Red Hat Security Advisory 2023-7548-01 - An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Issues addressed include a use-after-free vulnerability.

Red Hat Security Advisory 2023-7539-01

Red Hat Security Advisory 2023-7539-01 - An update for kernel is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a use-after-free vulnerability.

Ubuntu Security Notice USN-6466-1

Ubuntu Security Notice 6466-1 - Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel contained a race condition during device removal, leading to a use-after- free vulnerability. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. Hyunwoo Kim discovered that the Technotrend/Hauppauge USB DEC driver in the Linux kernel did not properly handle device removal events. A physically proximate attacker could use this to cause a denial of service.

Ubuntu Security Notice USN-6412-1

Ubuntu Security Notice 6412-1 - Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel contained a race condition during device removal, leading to a use-after- free vulnerability. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. Hyunwoo Kim discovered that the Technotrend/Hauppauge USB DEC driver in the Linux kernel did not properly handle device removal events. A physically proximate attacker could use this to cause a denial of service.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907