Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-45886: [PATCH 2/4] media: dvb-core: Fix use-after-free due to race condition occurring in dvb_net

An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_net.c has a .disconnect versus dvb_device_open race condition that leads to a use-after-free.

CVE
#vulnerability#linux#git

From: [email protected] To: [email protected] Cc: Hyunwoo Kim [email protected], [email protected], [email protected], [email protected], [email protected], [email protected] Subject: [PATCH 2/4] media: dvb-core: Fix use-after-free due to race condition occurring in dvb_net Date: Tue, 15 Nov 2022 05:18:20 -0800 [thread overview] Message-ID: [email protected] (raw) In-Reply-To: <[email protected]>

From: Hyunwoo Kim [email protected]

A race condition may occur between the .disconnect function, which is called when the device is disconnected, and the dvb_device_open() function, which is called when the device node is open()ed. This results in several types of UAFs.

The root cause of this is that you use the dvb_device_open() function, which does not implement a conditional statement that checks 'dvbnet->exit’.

So, add 'remove_mutex` to protect ‘dvbnet->exit’ and use locked_dvb_net_open() function to check 'dvbnet->exit’.

Signed-off-by: Hyunwoo Kim [email protected]

drivers/media/dvb-core/dvb_net.c | 37 ++++++++++++++++++++++++++++±– include/media/dvb_net.h | 4 ++++ 2 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/drivers/media/dvb-core/dvb_net.c b/drivers/media/dvb-core/dvb_net.c index 8a2febf33ce2…bdfc6609cb93 100644 — a/drivers/media/dvb-core/dvb_net.c +++ b/drivers/media/dvb-core/dvb_net.c @@ -1564,15 +1564,42 @@ static long dvb_net_ioctl(struct file *file, return dvb_usercopy(file, cmd, arg, dvb_net_do_ioctl); }

+static int locked_dvb_net_open(struct inode *inode, struct file *file) +{

  • struct dvb_device *dvbdev = file->private_data;
  • struct dvb_net *dvbnet = dvbdev->priv;
  • int ret;
  • if (mutex_lock_interruptible(&dvbnet->remove_mutex))
  •   return -ERESTARTSYS;
    
  • if (dvbnet->exit) {
  •   mutex\_unlock(&dvbnet->remove\_mutex);
    
  •   return -ENODEV;
    
  • }
  • ret = dvb_generic_open(inode, file);
  • mutex_unlock(&dvbnet->remove_mutex);
  • return ret; +}

static int dvb_net_close(struct inode *inode, struct file *file) { struct dvb_device *dvbdev = file->private_data; struct dvb_net *dvbnet = dvbdev->priv;

  • mutex_lock(&dvbnet->remove_mutex);
  • dvb_generic_release(inode, file);

- if(dvbdev->users == 1 && dvbnet->exit == 1)

  • if (dvbdev->users == 1 && dvbnet->exit == 1) {
  •   mutex\_unlock(&dvbnet->remove\_mutex);
      wake\_up(&dvbdev->wait\_queue);
    
  • } else
  •   mutex\_unlock(&dvbnet->remove\_mutex);
    
  • return 0; }

@@ -1580,7 +1607,7 @@ static int dvb_net_close(struct inode *inode, struct file *file) static const struct file_operations dvb_net_fops = { .owner = THIS_MODULE, .unlocked_ioctl = dvb_net_ioctl, - .open = dvb_generic_open,

  • .open = locked_dvb_net_open, .release = dvb_net_close, .llseek = noop_llseek, }; @@ -1599,10 +1626,13 @@ void dvb_net_release (struct dvb_net *dvbnet) { int i;

  • mutex_lock(&dvbnet->remove_mutex); dvbnet->exit = 1;

  • mutex_unlock(&dvbnet->remove_mutex);

  • if (dvbnet->dvbdev->users < 1) wait_event(dvbnet->dvbdev->wait_queue, - dvbnet->dvbdev->users==1);

  •           dvbnet->dvbdev->users == 1);
    

    dvb_unregister_device(dvbnet->dvbdev);

@@ -1621,6 +1651,7 @@ int dvb_net_init (struct dvb_adapter *adap, struct dvb_net *dvbnet, int i;

mutex\_init(&dvbnet->ioctl\_mutex);
  • mutex_init(&dvbnet->remove_mutex); dvbnet->demux = dmx;

    for (i=0; i<DVB_NET_DEVICES_MAX; i++) diff --git a/include/media/dvb_net.h b/include/media/dvb_net.h index 5e31d37f25fa…3e2eee5a05e5 100644 — a/include/media/dvb_net.h +++ b/include/media/dvb_net.h @@ -41,6 +41,9 @@ * @exit: flag to indicate when the device is being removed. * @demux: pointer to &struct dmx_demux. * @ioctl_mutex: protect access to this struct. + * @remove_mutex: mutex that avoids a race condition between a callback

  • * called when the hardware is disconnected and the

  • * file_operations of dvb_net * * Currently, the core supports up to %DVB_NET_DEVICES_MAX (10) network * devices. @@ -53,6 +56,7 @@ struct dvb_net { unsigned int exit:1; struct dmx_demux *demux; struct mutex ioctl_mutex;

  • struct mutex remove_mutex; };

/**

2.25.1

next prev parent reply other threads:[~2022-11-15 13:19 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-11-15 13:18 [PATCH 0/4] Fix multiple race condition vulnerabilities in dvb-core and device driver imv4bel 2022-11-15 13:18 ` [PATCH 1/4] media: dvb-core: Fix use-after-free due to race condition occurring in dvb_frontend imv4bel 2022-11-15 13:18 ` imv4bel [this message] 2022-11-15 13:18 ` [PATCH 3/4] media: dvb-core: Fix use-after-free due to race condition occurring in dvb_register_device() imv4bel 2022-11-17 4:16 ` Dan Carpenter 2022-11-15 13:18 ` [PATCH 4/4] media: ttusb-dec: Fix memory leak in ttusb_dec_exit_dvb() imv4bel

Reply instructions:

You may reply publicly to this message via plain-text email using any one of the following methods:

* Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox

Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the –to, –cc, and –in-reply-to switches of git-send-email(1):

git send-email \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ /path/to/YOUR_REPLY

https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).

Related news

Red Hat Security Advisory 2023-7549-01

Red Hat Security Advisory 2023-7549-01 - An update for kernel is now available for Red Hat Enterprise Linux 8. Issues addressed include a use-after-free vulnerability.

Red Hat Security Advisory 2023-7548-01

Red Hat Security Advisory 2023-7548-01 - An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Issues addressed include a use-after-free vulnerability.

Red Hat Security Advisory 2023-7539-01

Red Hat Security Advisory 2023-7539-01 - An update for kernel is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a use-after-free vulnerability.

Ubuntu Security Notice USN-6466-1

Ubuntu Security Notice 6466-1 - Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel contained a race condition during device removal, leading to a use-after- free vulnerability. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. Hyunwoo Kim discovered that the Technotrend/Hauppauge USB DEC driver in the Linux kernel did not properly handle device removal events. A physically proximate attacker could use this to cause a denial of service.

Ubuntu Security Notice USN-6412-1

Ubuntu Security Notice 6412-1 - Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel contained a race condition during device removal, leading to a use-after- free vulnerability. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. Hyunwoo Kim discovered that the Technotrend/Hauppauge USB DEC driver in the Linux kernel did not properly handle device removal events. A physically proximate attacker could use this to cause a denial of service.

CVE-2022-45886: November 2022 Linux Kernel 6.0.9 Vulnerabilities in NetApp Products

An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_net.c has a .disconnect versus dvb_device_open race condition that leads to a use-after-free.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907