Hi Yang,
On Tue, Nov 17, 2020 at 09:27:51PM +0800, Yang Yingliang wrote:
>
> After sunkbd->tq is added to workqueue, before scheduled work finish, sunkbd is
> freed by sunkbd_disconnect(), when sunkbd is used in sunkbd_reinit(), it causes
> a UAF. Fix this by calling flush_scheduled_work() before free sunkbd.
>
> This fixes CVE-2020-25669.
>
> Signed-off-by: Yang Yingliang <yangyingliang@xxxxxxxxxx>
> ---
> drivers/input/keyboard/sunkbd.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/input/keyboard/sunkbd.c b/drivers/input/keyboard/sunkbd.c
> index 27126e621eb6..b6222896acdf 100644
> --- a/drivers/input/keyboard/sunkbd.c
> +++ b/drivers/input/keyboard/sunkbd.c
> @@ -316,6 +316,7 @@ static void sunkbd_disconnect(struct serio *serio)
> {
> struct sunkbd *sunkbd = serio_get_drvdata(serio);
>
> + flush_scheduled_work();
This is unfortunately racy as we may get interrupt and reschedule the
work again before we get to disabling the port.
It is properly fixed by 77e70d351db7de07a46ac49b87a6c3c7a60fca7e.
> sunkbd_enable(sunkbd, false);
> input_unregister_device(sunkbd->dev);
> serio_close(serio);
> --
> 2.17.1
>
Thanks.
--
Dmitry
