Question about patch "fbdev: smscufx: Fix use-after-free in ufx_ops_open()"
ChenXiaoSong
chenxiaosong2 at huawei.com
Tue Oct 11 14:13:02 UTC 2022
Hi Hyunwoo:
[patch "fbdev: smscufx: Fix use-after-free in
ufx_ops_open()"](https://lore.kernel.org/all/20220925133243.GA383897@ubuntu/T/)
fix [CVE-2022-41849](https://nvd.nist.gov/vuln/detail/CVE-2022-41849).
If the UAF scenarios is as follows, it seems that [fix path
v3](https://lore.kernel.org/all/20220925133243.GA383897@ubuntu/T/) will
not avoid race contidion of krefs:
```
cpu0 | cpu1
-------------------------------------|---------------------------------------------------
1. open() |
ufx_ops_open() |
-------------------------------------|---------------------------------------------------
| 2. ufx_usb_disconnect()
| dev->virtualized = true;
| atomic_set()
| usb_set_intfdata()
|
| 3. if (dev->fb_count == 0)
| schedule_delayed_work()
| kref_put() <- kref count : 1
| kref_put() <- kref count : 0
| ufx_free()
| kfree(dev);
-------------------------------------|---------------------------------------------------
4. if (dev->virtualized) <==== UAF |
```
Did I misunderstand the UAF scenarios ?
More information about the dri-devel
mailing list