Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <61b9aeb9.70ae6.1869fd253e9.Coremail.duoming@zju.edu.cn>
Date: Thu, 2 Mar 2023 08:56:46 +0800 (GMT+08:00)
From: duoming@....edu.cn
To: oss-security@...ts.openwall.com
Subject: Linux kernel: CVE-2023-1118: UAF vulnerabilities in
 "drivers/media/rc" directory

Hello there,

There are use-after-free vulnerabilities in drivers/media/rc/ene_ir.c of linux that
allow attacker to crash linux kernel without any privilege by detaching rc device.

=*=*=*=*=*=*=*=*=  Bug Details  =*=*=*=*=*=*=*=*=

When the rc device is detaching, function ene_remove() will be called.
But the synchronizations in ene_remove() are bad. The situations that 
may lead to race conditions are shown below.

Firstly, the rx receiver is disabled with ene_rx_disable()
before rc_unregister_device() in ene_remove(), which means it
can be enabled again if a process opens /dev/lirc0 between
ene_rx_disable() and rc_unregister_device().

    (cleanup routine)      |        (open routine)
ene_remove()               | 
  ene_rx_disable(dev);     | ene_open()
                           |   ene_rx_enable(dev); //re-enable!

Secondly, the irqaction descriptor is freed by free_irq()
before the rc device is unregistered, which means irqaction
descriptor may be accessed again after it is deallocated.

    (free routine)                |        (use routine)
ene_remove()                      | ene_rx_enable()
  free_irq(dev->irq, ...); //FREE |   ene_rx_enable_hw()
                                  |     ene_write_reg(..., dev->irq << 1) //USE
                                  | 

Thirdly, the timer can call ene_tx_sample() that can write
to the io ports, which means the io ports could be accessed
again after they are deallocated by release_region().

    (free routine)                        |        (use routine)
ene_remove()                              | ene_tx_sample()
  release_region(dev->hw_io, ...); //FREE |   ene_write_reg()
                                          |     outb(..., dev->hw_io + ENE_IO) //USE

Fourthly, there is no function to cancel tx_sim_timer in ene_remove(),
the timer handler ene_tx_irqsim() could race with ene_remove(). 
As a result, the UAF bugs could happen, the process is shown below.

    (free routine)             |        (use routine)
                               | mod_timer(&dev->tx_sim_timer, ..)
ene_remove()                   | (wait a time)
  kfree(dev) //FREE            | ene_tx_irqsim()
                               |   dev->hw_lock //USE
                               |   ene_tx_sample(dev) //USE

=*=*=*=*=*=*=*=*=  Bug Effects  =*=*=*=*=*=*=*=*=

The vulnerabilities could crash the kernel and cause denial-of-service by detaching rc device.

=*=*=*=*=*=*=*=*=  Bug Fix  =*=*=*=*=*=*=*=*=*=*=

The patch that have been applied to mainline Linux kernel is shown below.
https://github.com/torvalds/linux/commit/29b0589a865b6f66d141d79b2dd1373e4e50fe17

=*=*=*=*=*=*=*=*=  Timeline  =*=*=*=*=*=*=*=*=*=

2023-02-08: commit 29b0589a865b was accepted to mainline kernel
2023-03-01: CVE-2023-1118 was assigned by redhat.

=*=*=*=*=*=*=*=*=  Credit  =*=*=*=*=*=*=*=*=

Duoming Zhou <duoming@....edu.cn>

Best Regards,
Duoming Zhou

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.