| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 15 Sep 2022 22:03:33 -0700
From: Hyunwoo Kim <imv4bel@...il.com>
To: Dominik Brodowski <linux@...inikbrodowski.net>
Cc: Arnd Bergmann <arnd@...db.de>, laforge@...monks.org,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>,
linux-kernel@...r.kernel.org, Paul Fulghum <paulkf@...rogate.com>,
akpm@...l.org, Lubomir Rintel <lkundrak@...sk>, imv4bel@...il.com
Subject: Re: [PATCH] pcmcia: synclink_cs: Fix use-after-free in mgslpc_ioctl()
The previous mailing list is here:
https://lore.kernel.org/lkml/20220913052020.GA85241@ubuntu/#r
Dear all,
I reported that the scr24x_cs driver does not cause UAF, which is incorrect.
UAFs can also occur in the scr24x_cs driver in the following order:
```
cpu0 cpu1
1. open()
2. scr24x_remove()
device_destroy()
cdev_del()
kref_put()
3. scr24x_open()
kref_get() <- refcount_t: addition on 0;
4. scr24x_delete()
kfree(dev);
5. scr24x_read() <- UAF
```
Because this driver uses kref_init, it looks as if no UAF is happening, but it does.
Since there is no lock between .open and .remove, kref_get() is called after kref_put()
is called, so "refcount_t: addition on 0;" This is what happens.
So I submitted a patch for all drivers in this path:
- synclink_cs.c "v2" patch : https://lore.kernel.org/lkml/20220916045734.GA187909@ubuntu/T/#u
- cm4040_cs.c : https://lore.kernel.org/lkml/20220916045834.GA188033@ubuntu/T/#u
- cm4000_cs.c : https://lore.kernel.org/lkml/20220916045929.GA188153@ubuntu/T/#u
- scr24x_cs.c : https://lore.kernel.org/lkml/20220916050006.GA188273@ubuntu/T/#u
Best Regards,
Hyunwoo Kim.
Powered by blists - more mailing lists