lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87sfklgozd.wl-tiwai@suse.de>
Date:   Wed, 21 Sep 2022 09:34:30 +0200
From:   Takashi Iwai <tiwai@...e.de>
To:     Mauro Carvalho Chehab <mchehab@...nel.org>
Cc:     Hyunwoo Kim <imv4bel@...il.com>, linux-media@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] media: dvb-core: Fix UAF due to refcount races at releasing

On Thu, 08 Sep 2022 15:27:54 +0200,
Takashi Iwai wrote:
> 
> The dvb-core tries to sync the releases of opened files at
> dvb_dmxdev_release() with two refcounts: dvbdev->users and
> dvr_dvbdev->users.  A problem is present in those two syncs: when yet
> another dvb_demux_open() is called during those sync waits,
> dvb_demux_open() continues to process even if the device is being
> closed.  This includes the increment of the former refcount, resulting
> in the leftover refcount after the sync of the latter refcount at
> dvb_dmxdev_release().  It ends up with use-after-free, since the
> function believes that all usages were gone and releases the
> resources.
> 
> This patch addresses the problem by adding the check of dmxdev->exit
> flag at dvb_demux_open(), just like dvb_dvr_open() already does.  With
> the exit flag check, the second call of dvb_demux_open() fails, hence
> the further corruption can be avoided.
> 
> Also for avoiding the races of the dmxdev->exit flag reference, this
> patch serializes the dmxdev->exit set up and the sync waits with the
> dmxdev->mutex lock at dvb_dmxdev_release().  Without the mutex lock,
> dvb_demux_open() (or dvb_dvr_open()) may run concurrently with
> dvb_dmxdev_release(), which allows to skip the exit flag check and
> continue the open process that is being closed.
> 
> Reported-by: Hyunwoo Kim <imv4bel@...il.com>
> Cc: <stable@...r.kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@...e.de>

Any review on this?

FWIW, now CVE-2022-41218 is assigned for those bugs as a security
issue.


thanks,

Takashi

> ---
>  drivers/media/dvb-core/dmxdev.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
> index f6ee678107d3..9ce5f010de3f 100644
> --- a/drivers/media/dvb-core/dmxdev.c
> +++ b/drivers/media/dvb-core/dmxdev.c
> @@ -790,6 +790,11 @@ static int dvb_demux_open(struct inode *inode, struct file *file)
>  	if (mutex_lock_interruptible(&dmxdev->mutex))
>  		return -ERESTARTSYS;
>  
> +	if (dmxdev->exit) {
> +		mutex_unlock(&dmxdev->mutex);
> +		return -ENODEV;
> +	}
> +
>  	for (i = 0; i < dmxdev->filternum; i++)
>  		if (dmxdev->filter[i].state == DMXDEV_STATE_FREE)
>  			break;
> @@ -1448,7 +1453,10 @@ EXPORT_SYMBOL(dvb_dmxdev_init);
>  
>  void dvb_dmxdev_release(struct dmxdev *dmxdev)
>  {
> +	mutex_lock(&dmxdev->mutex);
>  	dmxdev->exit = 1;
> +	mutex_unlock(&dmxdev->mutex);
> +
>  	if (dmxdev->dvbdev->users > 1) {
>  		wait_event(dmxdev->dvbdev->wait_queue,
>  				dmxdev->dvbdev->users == 1);
> -- 
> 2.35.3
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ