lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <11c2bce1e5286ad3a9a5be2ee59c2beac168f135.camel@mediatek.com>
Date:   Tue, 7 Mar 2023 10:12:49 +0000
From:   Irui Wang (王瑞) <Irui.Wang@...iatek.com>
To:     "zyytlz.wz@....com" <zyytlz.wz@....com>,
        Kyrie Wu (吴晗) <Kyrie.Wu@...iatek.com>,
        "angelogioacchino.delregno@...labora.com" 
        <angelogioacchino.delregno@...labora.com>,
        "hackerzheng666@...il.com" <hackerzheng666@...il.com>
CC:     "linux-mediatek@...ts.infradead.org" 
        <linux-mediatek@...ts.infradead.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-media@...r.kernel.org" <linux-media@...r.kernel.org>,
        "mchehab@...nel.org" <mchehab@...nel.org>,
        "alex000young@...il.com" <alex000young@...il.com>,
        Bin Liu (刘彬) <bin.liu@...iatek.com>,
        "linux-arm-kernel@...ts.infradead.org" 
        <linux-arm-kernel@...ts.infradead.org>,
        "matthias.bgg@...il.com" <matthias.bgg@...il.com>,
        "1395428693sheep@...il.com" <1395428693sheep@...il.com>
Subject: Re: [RESEND PATCH] media: mtk-jpeg: Fix use after free bug due to
 uncanceled work

Dear Angelo and Zheng,

Thanks for your patch and comments.

Dear Kyrie,

Please help to check this, thanks.

Best Regards

On Tue, 2023-03-07 at 10:49 +0100, AngeloGioacchino Del Regno wrote:
> Il 07/03/23 10:27, Zheng Hacker ha scritto:
> > Hi,
> > 
> > Is there anyone who can help with this? I can provide more details
> > like invoking chain if needed.
> > 
> 
> Providing more details is always good. Please do.
> 
> Meanwhile, adding Irui Wang to the loop: he's doing mtk-jpeg.
> 
> Regards,
> Angelo
> 
> > Thanks,
> > Zheng
> > 
> > Zheng Wang <zyytlz.wz@....com> 于2023年3月6日周一 14:28写道:
> > > 
> > > In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with
> > > mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run
> > > and mtk_jpeg_enc_device_run may be called to start the
> > > work.
> > > If we remove the module which will call mtk_jpeg_remove
> > > to make cleanup, there may be a unfinished work. The
> > > possible sequence is as follows, which will cause a
> > > typical UAF bug.
> > > 
> > > Fix it by canceling the work before cleanup in the
> > > mtk_jpeg_remove
> > > 
> > > CPU0                  CPU1
> > > 
> > >                      |mtk_jpeg_job_timeout_work
> > > mtk_jpeg_remove     |
> > >    v4l2_m2m_release  |
> > >      kfree(m2m_dev); |
> > >                      |
> > >                      | v4l2_m2m_get_curr_priv
> > >                      |   m2m_dev->curr_ctx //use
> > > 
> > > Signed-off-by: Zheng Wang <zyytlz.wz@....com>
> > > ---
> > >   drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 2 +-
> > >   1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
> > > b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
> > > index 969516a940ba..364513e7897e 100644
> > > --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
> > > +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
> > > @@ -1793,7 +1793,7 @@ static int mtk_jpeg_probe(struct
> > > platform_device *pdev)
> > >   static int mtk_jpeg_remove(struct platform_device *pdev)
> > >   {
> > >          struct mtk_jpeg_dev *jpeg = platform_get_drvdata(pdev);
> > > -
> > > +       cancel_delayed_work(&jpeg->job_timeout_work);
> > >          pm_runtime_disable(&pdev->dev);
> > >          video_unregister_device(jpeg->vdev);
> > >          v4l2_m2m_release(jpeg->m2m_dev);
> > > --
> > > 2.25.1
> > > 
> 
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ