On Tue, Mar 07, 2023 at 09:57:13PM +0900, Hyunwoo Kim wrote: > ttusb_dec is a comment for patch #4 in the series. > And as102 is the #1 patch. > > > Regards, > Hyunwoo Kim I was using the wrong email client and the mailing list didn't get sent, sorry. Resend the mail for the mailing list. > > > 2023년 3월 7일 (화) 오후 9:41, Mauro Carvalho Chehab <mchehab@xxxxxxxxxx>님이 작성: > > > Em Wed, 16 Nov 2022 20:59:21 -0800 > > Hyunwoo Kim <imv4bel@xxxxxxxxx> escreveu: > > > > > Dear, > > > > > > This patch set is a security patch for various race condition > > vulnerabilities that occur > > > in 'dvb-core' and 'ttusb_dec', a dvb-based device driver. > > > > > > > > > # 1. media: dvb-core: Fix use-after-free due to race condition occurring > > in dvb_frontend > > > This is a security patch for a race condition that occurs in the > > dvb_frontend system of dvb-core. > > > > > > The race condition that occurs here will occur with _any_ device driver > > using dvb_frontend. > > > > > > The race conditions that occur in dvb_frontend are as follows > > > (Description is based on drivers/media/usb/as102/as102_drv.c using > > dvb_frontend): > > > ``` > > > cpu0 cpu1 > > > 1. open() > > > dvb_frontend_open() > > > dvb_frontend_get() // kref : 3 > > > > > > > > > 2. > > as102_usb_disconnect() > > > > > as102_dvb_unregister() > > > > > dvb_unregister_frontend() > > > > > dvb_frontend_put() // kref : 2 > > > > > dvb_frontend_detach() > > > > > dvb_frontend_put() // kref : 1 > > > 3. close() > > > __fput() > > > dvb_frontend_release() > > > dvb_frontend_put() // kref : 0 > > > dvb_frontend_free() > > > __dvb_frontend_free() > > > dvb_free_device() > > > kfree (dvbdev->fops); > > > ... > > > fops_put(file->f_op); // UAF!! > > > > Hmm... you're mentioning ttusb_dec at the comment, but here you're showing > > the race for as102, which is a different driver. > > > > I'm confused. > > > > > > Thanks, > > Mauro > >
