On Sun, Oct 16, 2022 at 07:20:23AM -0700, Hyunwoo Kim wrote: > On Sun, Oct 16, 2022 at 04:14:05PM +0200, Helge Deller wrote: > > On 10/16/22 16:10, Hyunwoo Kim wrote: > > > On Sun, Oct 16, 2022 at 02:31:34PM +0200, gregkh@xxxxxxxxxxxxxxxxxxx wrote: > > > > > > > > This is a note to let you know that I've just added the patch titled > > > > > > > > fbdev: smscufx: Fix use-after-free in ufx_ops_open() > > > > > > > > to the 6.0-stable tree which can be found at: > > > > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary > > > > > > > > The filename of the patch is: > > > > fbdev-smscufx-fix-use-after-free-in-ufx_ops_open.patch > > > > and it can be found in the queue-6.0 subdirectory. > > > > > > > > If you, or anyone else, feels it should not be added to the stable tree, > > > > please let <stable@xxxxxxxxxxxxxxx> know about it. > > > > > > This patch should not be applied. > > > > > > I have been pointed out that a UAF that bypasses this security patch may occur: > > > https://lore.kernel.org/linux-fbdev/20221011153436.GA4446@ubuntu/T/#t > > > > > > I will submit a patch that fixes this in the future. > > > > Doesn't it makes sense to apply it (since it fixes part of the issue?) > > The UAF scenario I first presented requires an extra IPI technique, > but it's risky because if you patch it you can trigger the UAF much more easily. > (Added locks make it easier to trigger UAFs) > > > > and submit an additional patch on top of it? > > Right now I can't come up with a good way to check that .disconnect is done without > referencing dev. After further analysis, I will submit the corrected patch. > (Or I hope someone else submits a patch.) Given that this is a very old and obsolete driver, I think you're the only one that cares about it at the moment :) thanks, greg k-h
