Headline
CVE-2023-3141: Fix UAF bug in r592_remove due to race condition
A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak.
* [PATCH] memstick: r592: Fix UAF bug in r592_remove due to race condition @ 2023-03-07 16:43 Zheng Wang 2023-03-09 15:02 ` Ulf Hansson 0 siblings, 1 reply; 4+ messages in thread From: Zheng Wang @ 2023-03-07 16:43 UTC (permalink / raw) To: maximlevitsky Cc: oakad, ulf.hansson, linux-mmc, linux-kernel, hackerzheng666, 1395428693sheep, alex000young, Zheng Wang
In r592_probe, dev->detect_timer was bound with r592_detect_timer. In r592_irq function, the timer function will be invoked by mod_timer.
If we remove the module which will call hantro_release to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug.
Fix it by canceling the work before cleanup in r592_remove.
CPU0 CPU1
|r592\_detect\_timer
r592_remove | memstick_free_host| put_device; | kfree(host); | | | queue_work | &host->media_checker //use
Signed-off-by: Zheng Wang [email protected]
drivers/memstick/host/r592.c | 2 ± 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c index 1d35d147552d…2bfa7eaae80a 100644 — a/drivers/memstick/host/r592.c +++ b/drivers/memstick/host/r592.c @@ -829,7 +829,7 @@ static void r592_remove(struct pci_dev *pdev) /* Stop the processing thread. That ensures that we won’t take any more requests */ kthread_stop(dev->io_thread); -
del_timer_sync(&dev->detect_timer); r592_enable_device(dev, false);
while (!error && dev->req) { – 2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] memstick: r592: Fix UAF bug in r592_remove due to race condition 2023-03-07 16:43 [PATCH] memstick: r592: Fix UAF bug in r592_remove due to race condition Zheng Wang @ 2023-03-09 15:02 ` Ulf Hansson 2023-03-10 16:20 ` Zheng Hacker 0 siblings, 1 reply; 4+ messages in thread From: Ulf Hansson @ 2023-03-09 15:02 UTC (permalink / raw) To: Zheng Wang Cc: maximlevitsky, oakad, linux-mmc, linux-kernel, hackerzheng666, 1395428693sheep, alex000young
On Tue, 7 Mar 2023 at 17:44, Zheng Wang [email protected] wrote: >
In r592_probe, dev->detect_timer was bound with r592_detect_timer. In r592_irq function, the timer function will be invoked by mod_timer.
If we remove the module which will call hantro_release to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug.
Fix it by canceling the work before cleanup in r592_remove.
CPU0 CPU1
|r592\_detect\_timer
r592_remove | memstick_free_host| put_device; | kfree(host); | | | queue_work | &host->media_checker //use
Signed-off-by: Zheng Wang [email protected] Applied for next, thanks!
Kind regards Uffe
> —
drivers/memstick/host/r592.c | 2 ± 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c index 1d35d147552d…2bfa7eaae80a 100644 — a/drivers/memstick/host/r592.c +++ b/drivers/memstick/host/r592.c @@ -829,7 +829,7 @@ static void r592_remove(struct pci_dev *pdev) /* Stop the processing thread. That ensures that we won’t take any more requests */ kthread_stop(dev->io_thread);
del\_timer\_sync(&dev->detect\_timer); r592\_enable\_device(dev, false); while (!error && dev->req) {
– 2.25.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] memstick: r592: Fix UAF bug in r592_remove due to race condition 2023-03-09 15:02 ` Ulf Hansson @ 2023-03-10 16:20 ` Zheng Hacker 0 siblings, 0 replies; 4+ messages in thread From: Zheng Hacker @ 2023-03-10 16:20 UTC (permalink / raw) To: Ulf Hansson Cc: Zheng Wang, maximlevitsky, oakad, linux-mmc, linux-kernel, 1395428693sheep, alex000young
Ulf Hansson [email protected] 于2023年3月9日周四 23:02写道: >
On Tue, 7 Mar 2023 at 17:44, Zheng Wang [email protected] wrote:
In r592_probe, dev->detect_timer was bound with r592_detect_timer. In r592_irq function, the timer function will be invoked by mod_timer.
If we remove the module which will call hantro_release to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug.
Fix it by canceling the work before cleanup in r592_remove.
CPU0 CPU1
|r592\_detect\_timer
r592_remove | memstick_free_host| put_device; | kfree(host); | | | queue_work | &host->media_checker //use
Signed-off-by: Zheng Wang [email protected]
Applied for next, thanks!
Sorry for my late reply and thanks for your effort!
Best regards, Zheng >
drivers/memstick/host/r592.c | 2 ± 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c index 1d35d147552d…2bfa7eaae80a 100644 — a/drivers/memstick/host/r592.c +++ b/drivers/memstick/host/r592.c @@ -829,7 +829,7 @@ static void r592_remove(struct pci_dev *pdev) /* Stop the processing thread. That ensures that we won’t take any more requests */ kthread_stop(dev->io_thread);
del\_timer\_sync(&dev->detect\_timer); r592\_enable\_device(dev, false); while (!error && dev->req) {
– 2.25.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] memstick: r592: Fix UAF bug in r592_remove due to race condition @ 2023-03-07 16:42 Zheng Wang 0 siblings, 0 replies; 4+ messages in thread From: Zheng Wang @ 2023-03-07 16:42 UTC (permalink / raw) To: maximlevitsky Cc: oakad, ulf.hansson, linux-mmc, linux-kernel, hackerzheng666, 1395428693sheep, alex000young, Zheng Wang
In r592_probe, dev->detect_timer was bound with r592_detect_timer. In r592_irq function, the timer function will be invoked by mod_timer.
If we remove the module which will call hantro_release to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug.
Fix it by canceling the work before cleanup in r592_remove.
CPU0 CPU1
|r592\_detect\_timer
r592_remove | memstick_free_host| put_device; | kfree(host); | | | queue_work | &host->media_checker //use
Signed-off-by: Zheng Wang [email protected]
drivers/memstick/host/r592.c | 2 ± 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c index 1d35d147552d…2bfa7eaae80a 100644 — a/drivers/memstick/host/r592.c +++ b/drivers/memstick/host/r592.c @@ -829,7 +829,7 @@ static void r592_remove(struct pci_dev *pdev) /* Stop the processing thread. That ensures that we won’t take any more requests */ kthread_stop(dev->io_thread); - +del_timer_sync(&dev->detect_timer); r592_enable_device(dev, false);
while (!error && dev->req) {
– 2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-03-10 16:25 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) – links below jump to the message on this page – 2023-03-07 16:43 [PATCH] memstick: r592: Fix UAF bug in r592_remove due to race condition Zheng Wang 2023-03-09 15:02 ` Ulf Hansson 2023-03-10 16:20 ` Zheng Hacker – strict thread matches above, loose matches on Subject: below – 2023-03-07 16:42 Zheng Wang
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).
Related news
Red Hat Security Advisory 2023-7077-01 - An update for kernel is now available for Red Hat Enterprise Linux 8. Issues addressed include buffer overflow, denial of service, double free, information leakage, memory leak, null pointer, out of bounds access, out of bounds write, and use-after-free vulnerabilities.
Ubuntu Security Notice 6385-1 - It was discovered that some AMD x86-64 processors with SMT enabled could speculatively execute instructions using a return address from a sibling thread. A local attacker could possibly use this to expose sensitive information. William Zhao discovered that the Traffic Control subsystem in the Linux kernel did not properly handle network packet retransmission in certain situations. A local attacker could use this to cause a denial of service.
Ubuntu Security Notice 6347-1 - William Zhao discovered that the Traffic Control subsystem in the Linux kernel did not properly handle network packet retransmission in certain situations. A local attacker could use this to cause a denial of service. It was discovered that the NTFS file system implementation in the Linux kernel did not properly check buffer indexes in certain situations, leading to an out-of-bounds read vulnerability. A local attacker could possibly use this to expose sensitive information.
Ubuntu Security Notice 6337-1 - It was discovered that the netlink implementation in the Linux kernel did not properly validate policies when parsing attributes in some situations. An attacker could use this to cause a denial of service. Billy Jheng Bing Jhong discovered that the CIFS network file system implementation in the Linux kernel did not properly validate arguments to ioctl in some situations. A local attacker could possibly use this to cause a denial of service.
Ubuntu Security Notice 6332-1 - Daniel Moghimi discovered that some Intel Processors did not properly clear microarchitectural state after speculative execution of various instructions. A local unprivileged user could use this to obtain to sensitive information. William Zhao discovered that the Traffic Control subsystem in the Linux kernel did not properly handle network packet retransmission in certain situations. A local attacker could use this to cause a denial of service.
Ubuntu Security Notice 6331-1 - It was discovered that the netlink implementation in the Linux kernel did not properly validate policies when parsing attributes in some situations. An attacker could use this to cause a denial of service. Billy Jheng Bing Jhong discovered that the CIFS network file system implementation in the Linux kernel did not properly validate arguments to ioctl in some situations. A local attacker could possibly use this to cause a denial of service.
Ubuntu Security Notice 6314-1 - It was discovered that the netlink implementation in the Linux kernel did not properly validate policies when parsing attributes in some situations. An attacker could use this to cause a denial of service. Billy Jheng Bing Jhong discovered that the CIFS network file system implementation in the Linux kernel did not properly validate arguments to ioctl in some situations. A local attacker could possibly use this to cause a denial of service.
Ubuntu Security Notice 6312-1 - It was discovered that the netlink implementation in the Linux kernel did not properly validate policies when parsing attributes in some situations. An attacker could use this to cause a denial of service. Billy Jheng Bing Jhong discovered that the CIFS network file system implementation in the Linux kernel did not properly validate arguments to ioctl in some situations. A local attacker could possibly use this to cause a denial of service.
Ubuntu Security Notice 6311-1 - William Zhao discovered that the Traffic Control subsystem in the Linux kernel did not properly handle network packet retransmission in certain situations. A local attacker could use this to cause a denial of service. It was discovered that the NTFS file system implementation in the Linux kernel did not properly check buffer indexes in certain situations, leading to an out-of-bounds read vulnerability. A local attacker could possibly use this to expose sensitive information.
Ubuntu Security Notice 6301-1 - It was discovered that the netlink implementation in the Linux kernel did not properly validate policies when parsing attributes in some situations. An attacker could use this to cause a denial of service. Billy Jheng Bing Jhong discovered that the CIFS network file system implementation in the Linux kernel did not properly validate arguments to ioctl in some situations. A local attacker could possibly use this to cause a denial of service.
Ubuntu Security Notice 6300-1 - William Zhao discovered that the Traffic Control subsystem in the Linux kernel did not properly handle network packet retransmission in certain situations. A local attacker could use this to cause a denial of service. It was discovered that the NTFS file system implementation in the Linux kernel did not properly check buffer indexes in certain situations, leading to an out-of-bounds read vulnerability. A local attacker could possibly use this to expose sensitive information.
Ubuntu Security Notice 6283-1 - Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service. Zheng Zhang discovered that the device-mapper implementation in the Linux kernel did not properly handle locking during table_clear operations. A local attacker could use this to cause a denial of service.
Ubuntu Security Notice 6284-1 - It was discovered that the netlink implementation in the Linux kernel did not properly validate policies when parsing attributes in some situations. An attacker could use this to cause a denial of service. Billy Jheng Bing Jhong discovered that the CIFS network file system implementation in the Linux kernel did not properly validate arguments to ioctl in some situations. A local attacker could possibly use this to cause a denial of service.
Ubuntu Security Notice 6260-1 - It was discovered that the NTFS file system implementation in the Linux kernel did not properly check buffer indexes in certain situations, leading to an out-of-bounds read vulnerability. A local attacker could possibly use this to expose sensitive information. Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in the Ubuntu Linux kernel did not properly perform permission checks in certain situations. A local attacker could possibly use this to gain elevated privileges.
Ubuntu Security Notice 6254-1 - Jordy Zomer and Alexandra Sandulescu discovered that syscalls invoking the do_prlimit function in the Linux kernel did not properly handle speculative execution barriers. A local attacker could use this to expose sensitive information. It was discovered that a race condition existed in the btrfs file system implementation in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly expose sensitive information.