Question about patch "fbdev: smscufx: Fix use-after-free in ufx_ops_open()"

Hyunwoo Kim imv4bel at gmail.com
Tue Oct 11 15:34:36 UTC 2022


On Tue, Oct 11, 2022 at 10:13:02PM +0800, ChenXiaoSong wrote:
> Hi Hyunwoo:
> 
> [patch "fbdev: smscufx: Fix use-after-free in ufx_ops_open()"](https://lore.kernel.org/all/20220925133243.GA383897@ubuntu/T/)
> fix [CVE-2022-41849](https://nvd.nist.gov/vuln/detail/CVE-2022-41849).
> 
> If the UAF scenarios is as follows, it seems that [fix path
> v3](https://lore.kernel.org/all/20220925133243.GA383897@ubuntu/T/) will not
> avoid race contidion of krefs:
> 
> ```
>           cpu0                       |        cpu1
> -------------------------------------|---------------------------------------------------
>  1. open()                           |
>     ufx_ops_open()                   |
> -------------------------------------|---------------------------------------------------
>                                      | 2. ufx_usb_disconnect()
>                                      |    dev->virtualized = true;
>                                      |    atomic_set()
>                                      |    usb_set_intfdata()
>                                      |
>                                      | 3. if (dev->fb_count == 0)
>                                      |    schedule_delayed_work()
>                                      |    kref_put()   <- kref count : 1
>                                      |    kref_put()   <- kref count : 0
>                                      |    ufx_free()
>                                      |    kfree(dev);
> -------------------------------------|---------------------------------------------------
>  4. if (dev->virtualized) <==== UAF  |
> ```

You are right. This v3 fix patch may prevent the UAF scenario I first suggested,
but not the one you suggested.

Any good ideas for this?
Could it be solved by adding a global flag variable indicating disconnected?


Regards,
Hyunwoo Kim.


More information about the dri-devel mailing list