Question about patch "fbdev: smscufx: Fix use-after-free in ufx_ops_open()"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Hyunwoo:

[patch "fbdev: smscufx: Fix use-after-free in ufx_ops_open()"](https://lore.kernel.org/all/20220925133243.GA383897@ubuntu/T/) fix [CVE-2022-41849](https://nvd.nist.gov/vuln/detail/CVE-2022-41849).

If the UAF scenarios is as follows, it seems that [fix path v3](https://lore.kernel.org/all/20220925133243.GA383897@ubuntu/T/) will not avoid race contidion of krefs:

```
          cpu0                       |        cpu1
-------------------------------------|---------------------------------------------------
 1. open()                           |
    ufx_ops_open()                   |
-------------------------------------|---------------------------------------------------
                                     | 2. ufx_usb_disconnect()
                                     |    dev->virtualized = true;
                                     |    atomic_set()
                                     |    usb_set_intfdata()
                                     |
                                     | 3. if (dev->fb_count == 0)
                                     |    schedule_delayed_work()
                                     |    kref_put()   <- kref count : 1
                                     |    kref_put()   <- kref count : 0
                                     |    ufx_free()
                                     |    kfree(dev);
-------------------------------------|---------------------------------------------------
 4. if (dev->virtualized) <==== UAF  |
```

Did I misunderstand the UAF scenarios ?



[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux