oss-sec mailing list archives
Linux kernel: CVE-2023-1118: UAF vulnerabilities in "drivers/media/rc" directory
From: duoming () zju edu cn
Date: Thu, 2 Mar 2023 08:56:46 +0800 (GMT+08:00)
Hello there, There are use-after-free vulnerabilities in drivers/media/rc/ene_ir.c of linux that allow attacker to crash linux kernel without any privilege by detaching rc device. =*=*=*=*=*=*=*=*= Bug Details =*=*=*=*=*=*=*=*= When the rc device is detaching, function ene_remove() will be called. But the synchronizations in ene_remove() are bad. The situations that may lead to race conditions are shown below. Firstly, the rx receiver is disabled with ene_rx_disable() before rc_unregister_device() in ene_remove(), which means it can be enabled again if a process opens /dev/lirc0 between ene_rx_disable() and rc_unregister_device(). (cleanup routine) | (open routine) ene_remove() | ene_rx_disable(dev); | ene_open() | ene_rx_enable(dev); //re-enable! Secondly, the irqaction descriptor is freed by free_irq() before the rc device is unregistered, which means irqaction descriptor may be accessed again after it is deallocated. (free routine) | (use routine) ene_remove() | ene_rx_enable() free_irq(dev->irq, ...); //FREE | ene_rx_enable_hw() | ene_write_reg(..., dev->irq << 1) //USE | Thirdly, the timer can call ene_tx_sample() that can write to the io ports, which means the io ports could be accessed again after they are deallocated by release_region(). (free routine) | (use routine) ene_remove() | ene_tx_sample() release_region(dev->hw_io, ...); //FREE | ene_write_reg() | outb(..., dev->hw_io + ENE_IO) //USE Fourthly, there is no function to cancel tx_sim_timer in ene_remove(), the timer handler ene_tx_irqsim() could race with ene_remove(). As a result, the UAF bugs could happen, the process is shown below. (free routine) | (use routine) | mod_timer(&dev->tx_sim_timer, ..) ene_remove() | (wait a time) kfree(dev) //FREE | ene_tx_irqsim() | dev->hw_lock //USE | ene_tx_sample(dev) //USE =*=*=*=*=*=*=*=*= Bug Effects =*=*=*=*=*=*=*=*= The vulnerabilities could crash the kernel and cause denial-of-service by detaching rc device. =*=*=*=*=*=*=*=*= Bug Fix =*=*=*=*=*=*=*=*=*=*= The patch that have been applied to mainline Linux kernel is shown below. https://github.com/torvalds/linux/commit/29b0589a865b6f66d141d79b2dd1373e4e50fe17 =*=*=*=*=*=*=*=*= Timeline =*=*=*=*=*=*=*=*=*= 2023-02-08: commit 29b0589a865b was accepted to mainline kernel 2023-03-01: CVE-2023-1118 was assigned by redhat. =*=*=*=*=*=*=*=*= Credit =*=*=*=*=*=*=*=*= Duoming Zhou <duoming () zju edu cn> Best Regards, Duoming Zhou
Current thread:
- Linux kernel: CVE-2023-1118: UAF vulnerabilities in "drivers/media/rc" directory duoming (Mar 01)