On Tue, Oct 11, 2022 at 10:13:02PM +0800, ChenXiaoSong wrote: > Hi Hyunwoo: > > [patch "fbdev: smscufx: Fix use-after-free in ufx_ops_open()"](https://lore.kernel.org/all/20220925133243.GA383897@ubuntu/T/) > fix [CVE-2022-41849](https://nvd.nist.gov/vuln/detail/CVE-2022-41849). > > If the UAF scenarios is as follows, it seems that [fix path > v3](https://lore.kernel.org/all/20220925133243.GA383897@ubuntu/T/) will not > avoid race contidion of krefs: > > ``` > cpu0 | cpu1 > -------------------------------------|--------------------------------------------------- > 1. open() | > ufx_ops_open() | > -------------------------------------|--------------------------------------------------- > | 2. ufx_usb_disconnect() > | dev->virtualized = true; > | atomic_set() > | usb_set_intfdata() > | > | 3. if (dev->fb_count == 0) > | schedule_delayed_work() > | kref_put() <- kref count : 1 > | kref_put() <- kref count : 0 > | ufx_free() > | kfree(dev); > -------------------------------------|--------------------------------------------------- > 4. if (dev->virtualized) <==== UAF | > ``` You are right. This v3 fix patch may prevent the UAF scenario I first suggested, but not the one you suggested. Any good ideas for this? Could it be solved by adding a global flag variable indicating disconnected? Regards, Hyunwoo Kim.
