lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aMKnxavyXHFJdwuq@kekkonen.localdomain>
Date: Thu, 11 Sep 2025 13:43:17 +0300
From: Sakari Ailus <sakari.ailus@...ux.intel.com>
To: Edward Adam Davis <eadavis@...com>
Cc: laurent.pinchart@...asonboard.com, linux-kernel@...r.kernel.org,
	linux-media@...r.kernel.org, mchehab@...nel.org,
	syzbot+031d0cfd7c362817963f@...kaller.appspotmail.com,
	syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH Next V2] media: mc: Clear minor number before put device

Hi Edward,

On Wed, Sep 10, 2025 at 06:31:45PM +0800, Edward Adam Davis wrote:
> syzbot report a slab-use-after-free in media_devnode_unregister.
> 
> The following calltrace shows the entire process of UAF generation:
> 
> hub_event()->
>   port_event()->
>     hub_port_connect_change()->
>       hub_port_connect()->
>         usb_disconnect()->
> 	  usb_disable_device()->
> 	    device_del()->
> 	      bus_remove_device()->
> 	        device_release_driver_internal()->
> 		  __device_release_driver()->
> 		    device_remove()->
> 		      usb_unbind_interface()->
> 		        em28xx_usb_disconnect()->
> 			  em28xx_release_resources()->
> 			    em28xx_unregister_media_device()->
> 			      media_device_unregister()->
> 			        media_devnode_unregister()->
> 				  put_device()->
> 				    media_devnode_release()->
> 				      kfree(devnode)
> 				  clear_bit(devnode->minor, media_devnode_nums) 
> 
> [1] kfree(devnode), after this code is executed, devnode is released.
> [2] clear_bit(devnode->minor, media_devnode_nums), this accesses the
> freed devnode, trigger uaf
> 
> We clear the device's minor num before freeing devnode to avoid a UAF.
> 
> Fixes: 9e14868dc952 ("media: mc: Clear minor number reservation at unregistration time")
> Reported-by: syzbot+031d0cfd7c362817963f@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=031d0cfd7c362817963f
> Tested-by: syzbot+031d0cfd7c362817963f@...kaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@...com>

Thanks for the update. However, v1 was already merged. I'll mark this as
"not applicable".

-- 
Kind regards,

Sakari Ailus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ