Re: [PATCH] media: mtk-jpeg: Fix use after free bug due to uncanceled work

Zheng Hacker <hackerzheng666@xxxxxxxxx> · Sun, 15 Oct 2023 22:53:35 +0800

This patch has some mistakes in the typo. Please ignore it.

Zheng Wang <zyytlz.wz@xxxxxxx> 于2023年10月15日周日 22:44写道：
>
> This is a security bug that has been reported to google.
> It affected all platforms on chrome-os. Please apply this
> patch to 5.10.
>
> Due to the directory structure change, the file path to
> be be patched is different from that in upstream.
>
> [ Upstream commit c677d7ae83141d390d1253abebafa49c962afb52 ]
>
> In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with
> mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run
> and mtk_jpeg_enc_device_run may be called to start the
> work.
>
> If we remove the module which will call mtk_jpeg_remove
> to make cleanup, there may be a unfinished work. The
> possible sequence is as follows, which will cause a
> typical UAF bug.
>
> Fix it by canceling the work before cleanup in the mtk_jpeg_remove
>
> CPU0                  CPU1
>
>                     |mtk_jpeg_job_timeout_work
> mtk_jpeg_remove     |
>   v4l2_m2m_release  |
>     kfree(m2m_dev); |
>                     |
>                     | v4l2_m2m_get_curr_priv
>                     |   m2m_dev->curr_ctx //use
> Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver")
> Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
> Reviewed-by: Alexandre Mergnat <amergnat@xxxxxxxxxxxx>
> Reviewed-by: Chen-Yu Tsai <wenst@xxxxxxxxxxxx>
> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@xxxxxxxxxxxxx>
> Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> ---
>  drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c
> index ee802fc3bcdf..67c9ca4cfcd2 100644
> --- a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c
> +++ b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c
> @@ -1189,6 +1189,7 @@ static int mtk_jpeg_remove(struct platform_device *pdev)
>  {
>         struct mtk_jpeg_dev *jpeg = platform_get_drvdata(pdev);
>
> +       ancel_delayed_work_sync(&jpeg->job_timeout_work);
>         pm_runtime_disable(&pdev->dev);
>         video_unregister_device(jpeg->dec_vdev);
>         video_device_release(jpeg->dec_vdev);
> --
> 2.25.1
>