Em Wed, 16 Nov 2022 20:59:21 -0800 Hyunwoo Kim <imv4bel@xxxxxxxxx> escreveu: > Dear, > > This patch set is a security patch for various race condition vulnerabilities that occur > in 'dvb-core' and 'ttusb_dec', a dvb-based device driver. > > > # 1. media: dvb-core: Fix use-after-free due to race condition occurring in dvb_frontend > This is a security patch for a race condition that occurs in the dvb_frontend system of dvb-core. > > The race condition that occurs here will occur with _any_ device driver using dvb_frontend. > > The race conditions that occur in dvb_frontend are as follows > (Description is based on drivers/media/usb/as102/as102_drv.c using dvb_frontend): > ``` > cpu0 cpu1 > 1. open() > dvb_frontend_open() > dvb_frontend_get() // kref : 3 > > > 2. as102_usb_disconnect() > as102_dvb_unregister() > dvb_unregister_frontend() > dvb_frontend_put() // kref : 2 > dvb_frontend_detach() > dvb_frontend_put() // kref : 1 > 3. close() > __fput() > dvb_frontend_release() > dvb_frontend_put() // kref : 0 > dvb_frontend_free() > __dvb_frontend_free() > dvb_free_device() > kfree (dvbdev->fops); > ... > fops_put(file->f_op); // UAF!! Hmm... you're mentioning ttusb_dec at the comment, but here you're showing the race for as102, which is a different driver. I'm confused. Thanks, Mauro
