Re: [PATCH v3 0/4] Fix multiple race condition vulnerabilities in dvb-core and device driver

Lee Jones <lee@xxxxxxxxxx> · Thu, 9 Mar 2023 17:18:27 +0000

On Wed, 08 Mar 2023, Hyunwoo Kim wrote:

> On Tue, Mar 07, 2023 at 09:57:13PM +0900, Hyunwoo Kim wrote:
> > ttusb_dec is a comment for patch #4 in the series.
> > And as102 is the #1 patch.
> >
> >
> > Regards,
> > Hyunwoo Kim
>
> I was using the wrong email client and the mailing list didn't get sent, sorry.
>
> Resend the mail for the mailing list.

Please can you reply in-line - below the quote(s) you are replying to.

Then snip the rest.

> > 2023년 3월 7일 (화) 오후 9:41, Mauro Carvalho Chehab <mchehab@xxxxxxxxxx>님이 작성:
> >
> > > Em Wed, 16 Nov 2022 20:59:21 -0800
> > > Hyunwoo Kim <imv4bel@xxxxxxxxx> escreveu:
> > >
> > > > Dear,
> > > >
> > > > This patch set is a security patch for various race condition
> > > vulnerabilities that occur
> > > > in 'dvb-core' and 'ttusb_dec', a dvb-based device driver.
> > > >
> > > >
> > > > # 1. media: dvb-core: Fix use-after-free due to race condition occurring
> > > in dvb_frontend
> > > > This is a security patch for a race condition that occurs in the
> > > dvb_frontend system of dvb-core.
> > > >
> > > > The race condition that occurs here will occur with _any_ device driver
> > > using dvb_frontend.
> > > >
> > > > The race conditions that occur in dvb_frontend are as follows
> > > > (Description is based on drivers/media/usb/as102/as102_drv.c using
> > > dvb_frontend):
> > > > ```
> > > >                 cpu0                                                cpu1
> > > >        1. open()
> > > >           dvb_frontend_open()
> > > >           dvb_frontend_get()    // kref : 3
> > > >
> > > >
> > > >                                                              2.
> > > as102_usb_disconnect()
> > > >
> > >  as102_dvb_unregister()
> > > >
> > >  dvb_unregister_frontend()
> > > >
> > >  dvb_frontend_put()    // kref : 2
> > > >
> > >  dvb_frontend_detach()
> > > >
> > >  dvb_frontend_put()    // kref : 1
> > > >        3. close()
> > > >           __fput()
> > > >           dvb_frontend_release()
> > > >           dvb_frontend_put()    // kref : 0
> > > >           dvb_frontend_free()
> > > >           __dvb_frontend_free()
> > > >           dvb_free_device()
> > > >           kfree (dvbdev->fops);
> > > >           ...
> > > >           fops_put(file->f_op);    // UAF!!
> > >
> > > Hmm... you're mentioning ttusb_dec at the comment, but here you're showing
> > > the race for as102, which is a different driver.
> > >
> > > I'm confused.
> > >
> > >
> > > Thanks,
> > > Mauro
> > >

--
Lee Jones [李琼斯]