On-chip solutions aim to prevent breaches by separating the computing element and keeping data in the secure vault at all times.

Top chip makers Nvidia, Intel, ARM, and AMD are providing the hardware hooks for an emerging security concept called confidential computing, which provides layers of trust through hardware and software so customers can be confident that their data is secure.

Chip makers are adding protective vaults and encryption layers to secure data when it is stored, in transit, or being processed. The goal is to prevent hackers from launching hardware attacks to steal data.

The chip offerings are trickling down to cloud providers, with Microsoft (Azure) and Google (Cloud) offering security-focused virtual machines in which data in secure vaults can be unlocked by only authorized parties. Attestation verifies the source and integrity of the program entering the secure vault to access the data. Once authorized, the processing happens inside the vault, and the code doesn't leave the secure vault.

Confidential computing is not a part of everyday computing yet, but it may become necessary to protect sensitive applications and data from sophisticated attacks, says Jim McGregor, principal analyst at Tirias Research.

The chip makers are focusing on hardware protections because "software is easy to hack," McGregor says.

**Nvidia's Morpheus Uses AI to Analyze Behavior**

There are multiple dimensions to confidential computing. On-chip confidential computing aims to prevent breaches like the 2018 Meltdown and Spectre vulnerabilities by separating the computing element and keeping data in the secure vault at all times.

"Everybody wants to continue to reduce the attack surface of data," says Justin Boitano, vice president and general manager of Nvidia's enterprise and edge computing operations. "Up to this point, it is obviously encrypted in transit and at rest. Confidential computing solves the encrypted in-use at the infrastructure level."

Nvidia is taking a divergent approach to confidential computing with Morpheus, which uses artificial intelligence (AI) to keep computer systems secure. For example, Morpheus identifies suspicious user behavior by using AI techniques to inspect network packets for sensitive data.

"Security analysts can go and fix the security policies before it becomes a problem," Boitano says. "From there, we also realize the big challenges — you have to kind of assume that people are already in your network, so you have also got to look at the behavior of users and machines on the network."

Nvidia is also using Morpheus to establish security priorities for analysts tracking system threats. The AI system breaks down login information to identify abnormal user behavior on a network and machines that may have been compromised by phishing, social engineering, or other techniques. That analysis helps the company's security team prioritize their actions.

"You're trying to look at everything and then use AI to determine what you need to keep and act on versus what might just be noise that you can drop," Boitano says.

**Intel Rolls Out Project Amber**

Confidential computing will also help enterprises build a new class of applications where third-party data sets can mingle with proprietary data sets in a secure area to create better learning models, says Anil Rao, vice president and general manager for systems architecture and engineering at Intel's office of the chief technology officer.

Companies are eager to bring diverse data sets into proprietary data to make internal AI systems more accurate, Rao says. Confidential computing makes sure only authorized data is fed into AI and learning models, and that the data is not pilfered or stolen.

"If you have data coming in from credit card companies, you have data coming in from insurance companies, and you have data coming in from other locations, what you can do is say, 'I'm going to process all of these pieces of data inside of a \[secure\] enclave,'" Rao says.

Intel already had a secure enclave called SGX (Secure Guard Extension), but it recently added Project Amber, a cloud-based service that uses hardware and software techniques to attest and certify the trustworthiness of data.

On its upcoming 4th Generation Xeon Scalable processor, Intel's Project Amber uses instructions called Trust Domain Execution (TDX) to unlock secure enclaves. An Amber engine on one chip generates a numerical code for the secure enclave. If the code provided by the data or program seeking access matches, it is allowed to enter the secure enclave; if not, entry is denied.

**ARM Teams Up With AWS**

At the recent online ARM DevSummit, ARM — whose chip designs are being used by AWS on its Graviton cloud chip — announced it was focusing confidential computing on dynamic "realms" that will order programs and data in separate computational environments.

ARM's latest confidential computing architecture will deepen secure "wells" and make it harder for hackers to pull out data. The company is releasing confidential computing software stacks and guides for implementation in processors coming out over the next two years.

"We're already investing to ensure that you have the tools and software to see the ecosystem for early development," said Gary Campbell, executive vice president for central engineering at ARM, during a keynote at the event.

**AMD and Microsoft Go Open Source**

During a presentation at the AI Hardware Summit in August, Mark Russinovich, Microsoft Azure's chief technology officer, gave an example of how Royal Bank of Canada was using AMD's SEV-SNP confidential computing technology in Azure. The bank's AI model mixed proprietary data sets with information from merchants, consumers, and banks in real time, which helped provide more targeted advertising offerings to its customers.

Confidential computing features such as attestation ensured only the authorized data was mingling with its proprietary data set and not compromising it, Russinovich said.

Nvidia, Microsoft, Google, and AMD are collaborating on Caliptra, an open source specification for chip makers to build confidential computing security blocks into chips and systems.

How Chip Makers Are Implementing Confidential Computing

Dozens of international delegations meet for the second year to share intel, with a goal of stopping ransomware attacks on critical infrastructure.

U.S. officials will meet this week with delegations from more than 36 countries to share intelligence and strategize about how to push back against crippling and costly ransomware attacks against critical infrastructure.

The second-annual ransomware summit will include briefings from intelligence officials on the more than 4,000 cyberattacks that have occurred just over the past 18 months, Biden administration officials told reporters.

In addition to public sector experts, Microsoft and SAP will also contribute their data and analysis as part of their participation in the summit.

Russia, which is the country of origin of many ransomware operations, is not represented at the meetings.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

White House Convenes International Ransomware Summit

Most of the time, Khodjibaev is combing through various dark web forums, ransomware group chats, Russian-speaking websites and other sources trying to learn of attackers’ next moves.

Monday, October 31, 2022 14:10

**A case study in why cybersecurity experience is not a prerequisite to work in security**

Azim Khodjibaev knows all sides of the “security” industry.

That doesn’t just cover cybersecurity, either — he spent the first part of his career ensuring the physical safety of civilians and military personnel, which is about as high-stakes as it gets.

Today, he’s using his knack for tracking physical threats to hunt down other types of threats on the deepest corners of the internet so Talos can stay one step ahead of threat actors.

Khodjibaev is a senior intelligence analyst with Talos’ Threat Intelligence and Interdiction team. The idea of collecting intelligence of all types has been in his life for years — he’s no stranger to geopolitical conflict growing up in the late days of the Soviet Union.

When his family immigrated to the U.S. in the mid-1990s, he knew he wanted to follow a career in political science, which led him to get his bachelor’s degree in international relations. Since then, the word “threats” has meant all sorts of things to Khodjibaev.

He spent several years in different contracting positions with the U.S. government where he worked in counterintelligence research, utilizing his native Russian language to try and warn potential targets of military action, by infiltrating various online networks and tapping other sources to learn as much as possible about adversaries’ plans. Khodjibaev was also a part of the intelligence-gathering operations in the wake of the Boston Marathon bombing in 2013 and spent time tracking the location of improvised explosive devices (IEDs) on real battlefields.

“After doing that for a while, out of the blue, I got a message on LinkedIn that actually looked like a phish because it was too good to be true,” he jokes now.

The message was a Cisco recruiter reaching out to him about a potential job opportunity at Talos in the cybersecurity space, something Khodjibaev had never directly worked in before. But after a successful interview and a promise of further education in the field, he jumped on board with Talos in 2016. One of his first challenges was to translate the infamous BlackEnergy attacks against Ukraine and pass along his findings to the Talos detection team who needed to react quickly to the cyber attack.

“For about three-and-a-half years, I was blind, I had no idea what was going on. I knew nothing about the network structure, and only knew the very basic levels of cybersecurity,” he said.

But by working on a team with cybersecurity-focused researchers, he grew his knowledge of virtual threats and how to apply his intelligence-gathering skills to focus on cyber attacks rather than kinetic ones.

Most of the time, Khodjibaev is combing through various dark web forums, ransomware group chats, Russian-speaking websites and other sources trying to learn of attackers’ next moves.

“Over time, I realized I could contribute to the entire cybersecurity enterprise by building on those human intelligence skills and cyber intelligence skills,” he said.

When Khodjibaev finds a new potential threat or piece of malware, he tries to get it to Talos’ team of reverse engineers and rule writers to write detection as quickly as possible. He also partners with the Outreach team’s researchers to put together public-facing intelligence on the threat, such as one of Talos’ blog posts or intelligence partner alerts.

“As soon as I see something that’s beyond my ability to do something, we have a very specific mechanism that Talos has developed and refined to be speedy, yet accurate, with our detection,” he said.

Most recently, Khodjibaev’s been researching the LockBit ransomware group and regularly updates his Twitter followers about the group’s ongoing developments, even leading to a mini-series of Talos Takes episodes jokingly dubbed “Days of our Ransomware” as he sees drama between these groups play out on message boards, private chats and more.

These can often be very high-risk situations, though, and Khodjibaev continually imperils himself by trying to infiltrate virtual spaces with well-funded and highly skilled threat actors, so one slip-up could make him a personal target of an attack. But it doesn’t deter him from checking as many spaces as possible for the latest developments.

“There have been times when I’ve been legitimately scared because I pushed the envelope too far,” he said. “I am paranoid and careful in a good way where I’m always documenting things. But I’ve pushed the envelope into how far I’ve gone. The bad guys need to understand and learn that if they create a space that has more than one person in it, it’s only a matter of time before someone like me gets in there and takes advantage of that.”

These high-stress situations are admittedly less of a literal life-and-death situation that Khodjibaev used to work in when he would be forced to watch videos or read plans of “violence, abuse, crimes against innocent, defenseless people.”

So, he enjoys the quieter moments of his life where he can either work in his yard at his home or get out and kayak. He’s also a rowing coach for a local high school program.

“Given that unstable childhood I went through \[in the Soviet Union\], I am really into just living a really boring suburban life,” Khodjibaev said.

Now several years into his cybersecurity journey, Khodjibaev said he’s learned that cybersecurity isn’t a problem that can only be solved by looking at raw intelligence like datasets, he more so subscribes to Matt Olney’s, the director of Threat Intelligence and Interdiction at Talos, theory that “cybersecurity is a human problem.”

“I’ve always been a curious person and have always had a low tolerance of malicious activity against people who can’t help themselves,” Khodjibaev said. “Most cybercrime is just that — it’s not these state-sponsored actors, it’s cyber criminals ruining people’s days and targeting hospitals, and schools, and I always wanted to do something about it.”

Researcher Spotlight: How Azim Khodjibaev went from hunting real-world threats to threats on the dark web

Accelerates the safe recovery from ransomware attacks.

**SANTA CLARA, Calif., and PUNE, India, Oct. 31, 2022 /PRNewswire/** — Persistent Systems (BSE: PERSISTENT) (NSE: PERSISTENT), a global Digital Engineering provider, today announced the launch of a trailblazing solution that enables organizations to recover more quickly from cyberattacks. Together with Google Cloud, the Persistent Intelligent Cyber Recovery (PiCR) solution provides a comprehensive and scalable cyber-recovery approach, allowing organizations to reduce data loss and minimize the negative impact to brand reputation from prolonged downtime. Persistent Intelligent Cyber Recovery is now available on the Google Cloud Marketplace.

Hackers are increasing the frequency and scale of ransomware attacks. They are using continually evolving and sophisticated techniques, which makes recovery from attacks more challenging. These attacks may lead to sensitive data leakage, loss of business, and damage to brand reputation. It is crucial for organizations to not only focus on protection against cyber-attacks but also strengthen their recovery process.

Traditional backup and Disaster Recovery (DR) solutions are not designed for recovery from cyber-attacks. Persistent Intelligent Cyber Recovery includes tailored recovery plans, Persistent IP for finding and remediating malware, and the optional managed services to administer the recovery process. Persistent's solution integrates with Google Cloud to provide a secure recovery environment and Google Cloud Backup and DR for protecting the server images.

Persistent Intelligent Cyber Recovery offers the following benefits:

\-- Reduction in data loss  
\-- Decreased risk of recurrent attacks through the removal of malware  
\-- Faster recovery from ransomware and zero-day attacks (from weeks/months  
to hours/days)  
\-- Potential cyber insurance cost reduction  
\-- Scalable solution depending on enterprise size challenges  
Nitha Puthran, Senior Vice President - Cloud, Infrastructure and Security,  
Persistent:

"The digital environment today is constantly evolving and so are the risks associated with it. We are leveraging our strong relationship with Google Cloud and our product engineering expertise to create an industry-leading solution that allows enterprises to recover faster from cyber-attacks, thereby reducing the impact on their business.

"Persistent Intelligent Cyber Recovery combines strategic planning and the creation of playbooks, integration with Google Cloud services and our own IP to find anomalies that indicate malware, remove the malware, and use automation to set up test and production environments to scale. It takes a services and product mindset to create a solution like Persistent Intelligent Cyber Recovery and Persistent is uniquely positioned in the market to deliver both."

Dai Vu, Managing Director, Marketplace and ISV GTM Programs, Google: "As cyber threats become more prevalent, customers need solutions that can help them quickly address and recover from cyber-attacks. With the Persistent's Intelligent Cyber Recovery (PiCR) solution available on Google Cloud Marketplace, customers can quickly deploy PiCR to their Google Cloud environment and utilize it alongside Google Cloud technologies and capabilities to address cyber-attacks quickly and securely."  
**SOURCE:** Persistent Systems

Persistent Launches Cyber-Recovery Solution With Google Cloud

When looking at the scale and scope of worldwide cybercrime, password attacks are the most commonly observed type of threat in a given 60-second period.

Cybercrime is big and still growing bigger. It is often difficult to fully grasp the impact online attacks have had over the past decades. We used data from various Microsoft-owned properties and a mix of external sources to illustrate the scale and scope of worldwide cybercrime. Our comprehensive report on malicious activity highlights what is happening around the world within any given 60-second window.

**Cyberattacks Vary By Type and Focus**

If we’ve learned anything from our examination of last year’s online attacks, it’s that security teams need to be prepared to defend against a wide variety of threats at all times. According to RiskIQ, acquired by Microsoft in 2021, password attacks were far and away the most commonly observed type of threat, clocking in at 34,740 per minute. However, we also saw 1,902 Internet of Things (IoT) attacks and 1,095 distributed denial-of-service (DDoS) attacks during the same 60-second time period.

The threat picture gets even more complex the deeper we dive into internal Microsoft security data. We most commonly blocked email threats, identity threats, and brute-force authorization attacks for our customers.

When we examined a broad range of market data, we uncovered even more attacks. In 2021, seven phishing attacks occurred every minute, one SQL injection attack every two minutes, one new threat infrastructure detection every 35 minutes, one supply chain attack every 44 minutes, and one ransomware attack every 195 minutes. All of this comes together to create a tangled cybercrime landscape that security teams have to contend with.

**What Is the True Cost of Cybercrime?**

Cybercrime is a highly disruptive force, estimated to cause trillions of dollars in damages globally every year. The cost of cybercrime comes from damage done to data and property, stolen assets — including intellectual property — and the disruption of business systems and productivity.

Here’s a breakdown of how much cybercriminals cost businesses and consumers in 2021 per minute:

*   Worldwide economic impact of cybercrime: $1,141,553

*   Global cybersecurity spend: $285,388

*   E-commerce payment fraud losses: $38,052

*   Global ransomware damages: $38,051

*   Total cost of business email compromise: $4,566

*   Amount lost to cryptocurrency scams: $3,615

*   Average cost of breach: $8

*   Average cost of malware attacks: $5

How should enterprises guard against the disruptions and financial losses that come with a cybersecurity breach? They should start by understanding the full scope of the digital landscape that needs to be protected.

**What Should Organizations Expect?**

Threat actors are getting savvier about the tools and methods they use for evading detection, bypassing security systems, and perpetrating attacks. In 2021 there were 79,861 new hosts and 7,620 new IoT devices every minute. Likewise, we discovered 150 new domains, 53 new active LetsEncrypt SSL certificates, and 23 new mobile apps created in the same time period. Each of these additions can potentially act as a doorway for threat actors.

Cloud migrations, new digital initiatives, and shadow IT all widen the attack surface. At the enterprise level, that can mean a vast estate spanning multiple clouds and massively complex ecosystems. Meanwhile, cheap infrastructure and flourishing cybercrime economies grow the threat landscape that organizations, in turn, must track. Organizations need to ensure they’re one step ahead by creating a more holistic cybersecurity strategy that protects their operations on all fronts.

To gain control of this dynamic threat landscape, security teams must keep a pulse on new and emerging threats, the latest cybercrime tactics, and the leading tools at their disposal. Microsoft tracks more than 43 trillion signals every day to develop dynamic, hyper-relevant threat intelligence that evolves with the attack surface and helps us to detect and respond to threats rapidly. Our customers can access this intelligence directly to create a deep and unique view of the threat landscape, a 360-degree understanding of their exposure to it, and tools to mitigate and respond.

A Cyber Threat Minute: Cybercrime’s Scope in 60-Second Snapshots

An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4000_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cmm_open() and cm4000_detach().

From: Hyunwoo Kim <imv4bel@gmail.com>
To: Arnd Bergmann <arnd@arndb.de>,
	laforge@gnumonks.org, gregkh@linuxfoundation.org
Cc: "Ilpo Järvinen" <ilpo.jarvinen@linux.intel.com>,
	linux-kernel@vger.kernel.org,
	"Dominik Brodowski" <linux@dominikbrodowski.net>,
	"Paul Fulghum" <paulkf@microgate.com>,
	akpm@osdl.org, imv4bel@gmail.com
Subject: Re: \[PATCH\] pcmcia: synclink\_cs: Fix use-after-free in mgslpc\_ioctl()
Date: Wed, 14 Sep 2022 19:08:34 -0700	\[thread overview\]
Message-ID: <20220915020834.GA110086@ubuntu> (raw)
In-Reply-To: <a8a9fd74-4ee5-4619-8492-be7139e6d48e@www.fastmail.com\>

The previous mailing list is here:
https://lore.kernel.org/lkml/20220913052020.GA85241@ubuntu/#r

There are 3 other pcmica drivers in the path "drivers/char/pcmcia/synclink\_cs.c", 
the path of the "synclink\_cs.c" driver I reported the UAF to.
A similar UAF occurs in the "cm4000\_cs.c" and "cm4040\_cs.c" drivers. 
(this does not happen in scr24x\_cs.c)

The flow of UAF occurrence in cm4040\_cs.c driver is as follows:
\`\`\`
                cpu0                                                cpu1
       1. open()
          cm4040\_open()
                                                             2. reader\_detach()
                                                                reader\_release()
                                                                cm4040\_reader\_release()
                                                                while (link->open) { ...
       3. link->open = 1;
                                                             4. kfree(dev);
                                                                device\_destroy()
       5. read()   <- device\_destroy() was called, but read() can be called because fd is open
          cm4040\_read()
          int iobase = dev->p\_dev->resource\[0\]->start;   <- UAF
\`\`\`
In cm4040\_open() function, link->open is set to 1.
And in the .remove callback reader\_detach() function, if link->open is 1, 
cm4040\_close() is called and wait()s until link->open becomes 0.
However, if the above race condition occurs in these two functions, 
the link->open check in reader\_detach() can be bypassed.
After that, you can call read() on the task that acquired fd to raise a 
UAF for the kfree()d "dev".


The flow of UAF occurrence in cm4000\_cs.c driver is as follows:

\`\`\`
                cpu0                                                cpu1
       1. open()
          cmm\_open()
                                                             2. cm4000\_detach()
                                                                stop\_monitor()
                                                                if (dev->monitor\_running) { ...
       3. start\_monitor()
          dev->monitor\_running = 1;
                                                             4. cm4000\_release()
                                                                cmm\_cm4000\_release()
                                                                while (link->open) { ...
       5. link->open = 1;
                                                             6. kfree(dev);
                                                                device\_destroy()
       7. read()   <- device\_destroy() was called, but read() can be called because fd is open
          cmm\_read()
          unsigned int iobase = dev->p\_dev->resource\[0\]->start;   <- UAF
\`\`\`
In the cm4000\_cs.c driver, the race condition flow is tricky because of 
the start/stop\_monitor() functions.

The overall flow is similar to cm4040\_cs.c.
Added one race condition to bypass the "dev->monitor\_running" check.


So, should the above two drivers be removed from the kernel like the synclink\_cs.c driver?

Or should I submit a patch that fixes the UAF?


Best Regards,
Hyunwoo Kim.

next prev parent reply	other threads:\[~2022-09-15  2:08 UTC|newest\]

**Thread overview:** 10+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
2022-09-13  5:20 \[PATCH\] pcmcia: synclink\_cs: Fix use-after-free in mgslpc\_ioctl() Hyunwoo Kim
2022-09-13 14:59 \` Arnd Bergmann
2022-09-13 15:14   \` Paul Fulghum
2022-09-13 15:43     \` Hyunwoo Kim
**2022-09-15  2:08   \` Hyunwoo Kim \[this message\]**
2022-09-15  7:35     \` Arnd Bergmann
2022-09-15  8:02       \` Dominik Brodowski
2022-09-15  9:00         \` Hyunwoo Kim
2022-09-16  5:03         \` Hyunwoo Kim
2022-09-15 14:05       \` Harald Welte

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20220915020834.GA110086@ubuntu \\
    --to=imv4bel@gmail.com \\
    --cc=akpm@osdl.org \\
    --cc=arnd@arndb.de \\
    --cc=gregkh@linuxfoundation.org \\
    --cc=ilpo.jarvinen@linux.intel.com \\
    --cc=laforge@gnumonks.org \\
    --cc=linux-kernel@vger.kernel.org \\
    --cc=linux@dominikbrodowski.net \\
    --cc=paulkf@microgate.com \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2022-44032: Re: [PATCH] pcmcia: synclink_cs: Fix use-after-free in mgslpc_ioctl()

An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/scr24x_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between scr24x_open() and scr24x_remove().

From: Hyunwoo Kim <imv4bel@gmail.com>
To: lkundrak@v3.sk
Cc: linux-kernel@vger.kernel.org, imv4bel@gmail.com, arnd@arndb.de,
	gregkh@linuxfoundation.org, linux@dominikbrodowski.net
Subject: \[PATCH v5\] char: pcmcia: scr24x\_cs: Fix use-after-free in scr24x\_fops
Date: Mon, 19 Sep 2022 03:18:25 -0700	\[thread overview\]
Message-ID: <20220919101825.GA313940@ubuntu> (raw)

A race condition may occur if the user physically removes the
pcmcia device while calling open() for this char device node.

This is a race condition between the scr24x\_open() function and
the scr24x\_remove() function, which may eventually result in UAF.

So, add a mutex to the scr24x\_open() and scr24x\_remove() functions
to avoid race contidion of krefs.

Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Reported-by: kernel test robot <lkp@intel.com>
---
v2: fixed issue using dev's member mutex which can be freed after kref\_put()
v3: fixed using "removed" member of dev that could be freed after kref\_put()
v4: fix issue referencing uninitialized dev in scr24x\_open() function
v5: Fix patch reporting email format
---
 drivers/char/pcmcia/scr24x\_cs.c | 73 +++++++++++++++++++++++----------
 1 file changed, 52 insertions(+), 21 deletions(-)

diff --git a/drivers/char/pcmcia/scr24x\_cs.c b/drivers/char/pcmcia/scr24x\_cs.c
index 1bdce08fae3d..039d44ee0ebe 100644
--- a/drivers/char/pcmcia/scr24x\_cs.c
+++ b/drivers/char/pcmcia/scr24x\_cs.c
@@ -33,6 +33,7 @@
 
 struct scr24x\_dev {
 	struct device \*dev;
+	struct pcmcia\_device \*p\_dev;
 	struct cdev c\_dev;
 	unsigned char buf\[CCID\_MAX\_LEN\];
 	int devno;
@@ -42,15 +43,31 @@ struct scr24x\_dev {
 };
 
 #define SCR24X\_DEVS 8
\-static DECLARE\_BITMAP(scr24x\_minors, SCR24X\_DEVS);
+static struct pcmcia\_device \*dev\_table\[SCR24X\_DEVS\];
+static DEFINE\_MUTEX(remove\_mutex);
 
 static struct class \*scr24x\_class;
 static dev\_t scr24x\_devt;
 
 static void scr24x\_delete(struct kref \*kref)
 {
\-	struct scr24x\_dev \*dev = container\_of(kref, struct scr24x\_dev,
-								refcnt);
+	struct scr24x\_dev \*dev = container\_of(kref, struct scr24x\_dev, refcnt);
+	struct pcmcia\_device \*link = dev->p\_dev;
+	int devno;
+
+	for (devno = 0; devno < SCR24X\_DEVS; devno++) {
+		if (dev\_table\[devno\] == link)
+			break;
+	}
+	if (devno == SCR24X\_DEVS)
+		return;
+
+	device\_destroy(scr24x\_class, MKDEV(MAJOR(scr24x\_devt), dev->devno));
+	mutex\_lock(&dev->lock);
+	pcmcia\_disable\_device(link);
+	cdev\_del(&dev->c\_dev);
+	dev->dev = NULL;
+	mutex\_unlock(&dev->lock);
 
 	kfree(dev);
 }
@@ -73,11 +90,24 @@ static int scr24x\_wait\_ready(struct scr24x\_dev \*dev)
 
 static int scr24x\_open(struct inode \*inode, struct file \*filp)
 {
\-	struct scr24x\_dev \*dev = container\_of(inode->i\_cdev,
-				struct scr24x\_dev, c\_dev);
+	struct scr24x\_dev \*dev;
+	struct pcmcia\_device \*link;
+	int minor = iminor(inode);
+
+	if (minor >= SCR24X\_DEVS)
+		return -ENODEV;
+
+	mutex\_lock(&remove\_mutex);
+	link = dev\_table\[minor\];
+	if (link == NULL) {
+		mutex\_unlock(&remove\_mutex);
+		return -ENODEV;
+	}
 
+	dev = link->priv;
 	kref\_get(&dev->refcnt);
 	filp->private\_data = dev;
+	mutex\_unlock(&remove\_mutex);
 
 	return stream\_open(inode, filp);
 }
@@ -232,24 +262,31 @@ static int scr24x\_config\_check(struct pcmcia\_device \*link, void \*priv\_data)
 static int scr24x\_probe(struct pcmcia\_device \*link)
 {
 	struct scr24x\_dev \*dev;
\-	int ret;
+	int i, ret;
+
+	for (i = 0; i < SCR24X\_DEVS; i++) {
+		if (dev\_table\[i\] == NULL)
+			break;
+	}
+
+	if (i == SCR24X\_DEVS)
+		return -ENODEV;
 
 	dev = kzalloc(sizeof(\*dev), GFP\_KERNEL);
 	if (!dev)
 		return -ENOMEM;
 
\-	dev->devno = find\_first\_zero\_bit(scr24x\_minors, SCR24X\_DEVS);
-	if (dev->devno >= SCR24X\_DEVS) {
-		ret = -EBUSY;
-		goto err;
-	}
+	dev->devno = i;
 
 	mutex\_init(&dev->lock);
 	kref\_init(&dev->refcnt);
 
 	link->priv = dev;
+	dev->p\_dev = link;
 	link->config\_flags |= CONF\_ENABLE\_IRQ | CONF\_AUTO\_SET\_IO;
 
+	dev\_table\[i\] = link;
+
 	ret = pcmcia\_loop\_config(link, scr24x\_config\_check, NULL);
 	if (ret < 0)
 		goto err;
@@ -282,8 +319,8 @@ static int scr24x\_probe(struct pcmcia\_device \*link)
 	return 0;
 
 err:
\-	if (dev->devno < SCR24X\_DEVS)
-		clear\_bit(dev->devno, scr24x\_minors);
+	dev\_table\[i\] = NULL;
+
 	kfree (dev);
 	return ret;
 }
@@ -292,15 +329,9 @@ static void scr24x\_remove(struct pcmcia\_device \*link)
 {
 	struct scr24x\_dev \*dev = (struct scr24x\_dev \*)link->priv;
 
\-	device\_destroy(scr24x\_class, MKDEV(MAJOR(scr24x\_devt), dev->devno));
-	mutex\_lock(&dev->lock);
-	pcmcia\_disable\_device(link);
-	cdev\_del(&dev->c\_dev);
-	clear\_bit(dev->devno, scr24x\_minors);
-	dev->dev = NULL;
-	mutex\_unlock(&dev->lock);
-
+	mutex\_lock(&remove\_mutex);
 	kref\_put(&dev->refcnt, scr24x\_delete);
+	mutex\_unlock(&remove\_mutex);
 }
 
 static const struct pcmcia\_device\_id scr24x\_ids\[\] = {

base-commit: 521a547ced6477c54b4b0cc206000406c221b4d6
-- 
2.25.1

                 reply	other threads:\[~2022-09-19 10:26 UTC|newest\]

**Thread overview:** \[no followups\] expand\[flat|nested\]  mbox.gz  Atom feed

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20220919101825.GA313940@ubuntu \\
    --to=imv4bel@gmail.com \\
    --cc=arnd@arndb.de \\
    --cc=gregkh@linuxfoundation.org \\
    --cc=linux-kernel@vger.kernel.org \\
    --cc=linux@dominikbrodowski.net \\
    --cc=lkundrak@v3.sk \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2022-44034: [PATCH v5] char: pcmcia: scr24x_cs: Fix use-after-free in scr24x_fops

Plus: The New York Post gets hacked, a huge stalkerware network is exposed, and the US claims China interfered with its Huawei probe.

For years, AlphaBay ruled the dark web. If you were in the market to buy drugs or stolen credit cards, the digital bazaar was the place to turn. At its peak, more than 350,000 products were listed for sale—an estimated 10 times the size of the notorious Silk Road market—and the website proved to be the ire of law enforcement the world round. That was until cops took AlphaBay offline in 2017.

This week, WIRED published the first in a six-part series detailing the hunt for Alpha02, the mastermind believed to be behind AlphaBay, and the huge international takedown operation that wiped the marketplace from the web. Each week, we’ll publish a new part of the series, excerpted from WIRED reporter Andy Greenberg’s new book, _Tracers in the Dark_.

Schools across the US have faced dozens of hoax calls about mass shootings in recent months. After a call is made, police scramble to the scene fearing the worst, only to find out there is no shooter. Now hoax phone call recordings obtained by WIRED and conversations with law enforcement officials reveal how the calls have been made and show that law enforcement officials are closing in on the alleged hoaxer. Police are looking for a male “with a heavy accent described as Middle Eastern or African” and have linked the phone calls to Ethiopia.

Elsewhere, a bug in Apple’s new macOS 13 Ventura operating system is causing problems for malware scanners and security monitoring tools. With the new software update, Apple accidentally crippled third-party security products in a way users may not notice. The company is planning to fix the bug in an upcoming software release.

We also looked at a newly discovered Chinese influence operation that is targeting US elections—although it is not having much success. And now that Elon Musk owns Twitter, here’s how you should think about your privacy and security on the bird website.

But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

Officials in Canada and the Netherlands are investigating allegations that Chinese police forces have operated a network of illegal police stations within their countries. According to reports that emerged this week, Chinese police forces have been operating out of clandestine bases and using their presence to track and threaten dissidents. The Dutch government has called such sites “illegal” and said it is “investigating exactly what they are doing here,” while officials in Canada said they are investigating “so-called ‘police’ stations.”

However, it is just the tip of the iceberg. Spanish civil rights group Safeguard Defenders first claimed that Chinese police forces from the cities of Fuzhou and Qingtian were running “overseas police service stations” across the West in a report published in September. Since 2018, the group claims, more than 38 police service stations have appeared in “dozens of countries” spread across five different continents. “Such overseas police ‘service stations’ have been used by police back in China to carry out such ‘persuasion to return’ operations on foreign soil, including in Europe,” the report states. Lawmakers in both England and Scotland are also planning on investigating the stations, reports say.

Chinese officials have not denied the existence of the service stations, but say they exist to provide bureaucratic services to Chinese citizens and don’t involve police operations. The Chinese embassy in Canada said the stations exist to allow Chinese citizens to complete tasks such as renewing their driving licenses: “The main purpose of the service station abroad is to provide free assistance to overseas Chinese citizens in this regard.”

If stalkerware is installed on your phone or laptop, the malicious software can send every tap, message, and photo back to the person who added it to your device. The software is often hard to find, and the insidious industry that creates it operates in the shadows. This week, a TechCrunch investigation revealed how a huge stalkerware network, with hundreds of thousands of victims, operates.

Leaked data obtained by TechCrunch shows TheTruthSpy stalkerware has been installed on more than 300,000 devices and has victims all around the world. Over a six-week period analyzed by the publication, more than 9,400 new devices were infected with the stalkerware. Thousands of calls, millions of text messages, and more than 470,000 photos and videos were collected by the app without its victims’ knowledge. And data was also likely collected from the phones of children. This tool can tell if your device was compromised.

A pair of Chinese intelligence officers attempted to bribe a US official involved in the criminal case against Huawei, the US Department of Justice claimed this week. Across three separate cases, the Justice Department charged 13 people with alleged efforts to “exert influence” in the US on behalf of the People’s Republic of China. The charges range from trying to disrupt the US government’s Huawei investigation to trying to recruit people as intelligence agents. Two people were also arrested for allegedly attempting to “cause the forced repatriation” of a Chinese national living in the US. “The actions announced today take place against a backdrop of malign activity from the government of the People’s Republic of China that includes espionage, attempts to disrupt our justice system, harassment of individuals, and ongoing efforts to steal sensitive US technology,” deputy attorney general Lisa O. Monaco said in a statement. In an unprecedented move in July, the head of the FBI and the UK’s MI5 made a joint public appearance to warn about the perceived threat from China, saying the nation is the biggest threat to economic and national security.

The website and Twitter account of the _New York Post_ were hacked this week. On Thursday, the publication’s Twitter account started sharing links to stories with offensive headlines and posts about politicians. US president Joe Biden, US representative Alexandria Ocasio-Cortez, and New York governor Kathy Hochul were all targeted. The _Post_, which is owned by News Corp, tweeted that it was investigating the incident, but very few details have been made public so far. In February this year, News Corp announced it had been hacked, with the attackers believed to have accessed journalists’ emails. The latest attack against the _Post_ echoes a recent hack of the business news website _Fast Company_. In September, the publication’s content management system (CMS) was breached and the attacker sent offensive push notifications to Apple News subscribers.

China Operates Secret ‘Police Stations’ in Other Countries

What's next for the social network is anyone's guess—but here's what to watch as you wade through the privacy and security morass.

Elon Musk is buying Twitter for $44 billion after the least sexy will-they-won't-they saga of all time. And while Musk attempted to reassure advertisers yesterday that "Twitter obviously cannot become a free-for-all hellscape, where anything can be said with no consequences," the acquisition raises practical questions about what the social network's nearly 240 million active users can expect from the platform in the future.

Chief among these concerns are questions about how Twitter's stances on user security and privacy may change in the Musk era. A number of top Twitter executives were fired last night, including CEO Parag Agrawal, the company's general counsel Sean Edgett, and Vijaya Gadde, the company's head of legal policy, trust, and safety who was known for working to protect user data from law enforcement requests and court orders. Gadde ran the committee that ousted Donald Trump from Twitter in January 2021 following the Capitol riots. Musk, meanwhile, said in May that he would want to reinstate Trump on the platform and called the former US president's removal “morally bad.” 

This afternoon, Musk wrote that “Twitter will be forming a content moderation council with widely diverse viewpoints. No major content decisions or account reinstatements will happen before that council convenes.”

Content moderation has real implications for user security on any platform, particularly when it involves hate speech and violent misinformation. But other topics, including the privacy of Twitter direct messages, protection from unlawful government data requests, and the overall quality of Twitter's security protections, will loom large in the coming weeks. This is particularly true in light of recent accusations from former Twitter chief security officer Peiter “Mudge” Zatko, who described Twitter as having grossly inadequate digital security defenses in an August whistleblower report.

“Personally, I don’t know what to do, especially when you take Mudge’s whistleblower complaint into consideration,” says Whitney Merrill, a privacy and data protection lawyer and former Federal Trade Commission attorney. “I’m just not putting any sensitive data or data I’d like to stay confidential into DMs.”

Twitter offers a tool for downloading all the data it holds in your account, and reviewing your own trove is a good first step in understanding what information the company has linked to you. It's unclear, though, exactly how much control you currently have over deleting this data, and the policies could continue to evolve under the Musk administration. Twitter DMs, for example, only offer the option to “Delete for You,” meaning delete messages from your own account but not for other users. 

More broadly, Twitter's current policy on account deactivation simply says, “If you do not log back into your account for the 30 days following the deactivation, your account will be permanently deactivated.  Once permanently deactivated, all information associated with your account is no longer available in our Production Tools.” It is unclear what exactly this means in terms of long-term data retention and, again, policies may change in the future.

“It appears Twitter isn't even deleting data of end users, and private messages are kept forever or maybe until all participants delete,” Merrill says. (Twitter did not yet respond to WIRED's request for comment.)

It's worth noting that for most users, Twitter's core purpose as a public microblogging service is something of a saving grace. A lot of the things most people have done on Twitter over the years were meant to be publicly accessible. But private Twitter accounts and direct message chats are both popular Twitter features and important considerations as the company evolves.

“This is an emerging situation, but to the extent DMs were ever considered safe from inspection by staff, the threat is greater with the extensively reported rumors of staff reductions,” says Jake Williams, director of cyber-threat intelligence at the security firm Scythe and a former National Security Agency hacker. “Some of the first staff to be cut in any reorganization are personnel involved in nonfunctional activities, such as security specialists and internal policy oversight.”

Zatko, the former Twitter chief security officer, warned in both his written report and subsequent Congressional testimony of rogue insiders at Twitter, including nation-state actors, woefully inadequate access controls, and weak digital security defenses. As a result, a lack of security investment in the Musk era could pose a real danger to users over time. And Twitter has been plagued by both criminal and state-backed attacks over the years.

It's important to keep in mind, though, that the social giant is still a public company and that Musk himself would face legal liability if he or any of his appointees personally access user data or take other rogue actions like, say, leveraging the Twitter mobile application to grab user data outside of Twitter's scope.

“This all should be very concerning, but users don't need to overreact,” Williams says. “There will still be disincentives to run afoul of regulators.”

Even if many users are sticking around to see how things shake out, some are already balking at the extreme uncertainty of the situation. This evening, General Motors said it was temporarily suspending advertising on the social network.

If Musk Starts Firing Twitter's Security Team, Run

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 21 and Oct. 28. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Tag

#intel