| Message ID | 20240914163932.253-1-kxwang23@m.fudan.edu.cn (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [v3] i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition | expand |
On Sun, 15 Sep 2024 00:39:33 +0800, Kaixin Wang wrote: > In the svc_i3c_master_probe function, &master->hj_work is bound with > svc_i3c_master_hj_work, &master->ibi_work is bound with > svc_i3c_master_ibi_work. And svc_i3c_master_ibi_work can start the > hj_work, svc_i3c_master_irq_handler can start the ibi_work. > > If we remove the module which will call svc_i3c_master_remove to > make cleanup, it will free master->base through i3c_master_unregister > while the work mentioned above will be used. The sequence of operations > that may lead to a UAF bug is as follows: > > [...] Applied, thanks! [1/1] i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition https://git.kernel.org/abelloni/c/618507257797 Best regards,
diff --git a/drivers/i3c/master/svc-i3c-master.c b/drivers/i3c/master/svc-i3c-master.c index 0a68fd1b81d4..e084ba648b4a 100644 --- a/drivers/i3c/master/svc-i3c-master.c +++ b/drivers/i3c/master/svc-i3c-master.c @@ -1775,6 +1775,7 @@ static void svc_i3c_master_remove(struct platform_device *pdev) { struct svc_i3c_master *master = platform_get_drvdata(pdev); + cancel_work_sync(&master->hj_work); i3c_master_unregister(&master->base); pm_runtime_dont_use_autosuspend(&pdev->dev);
In the svc_i3c_master_probe function, &master->hj_work is bound with svc_i3c_master_hj_work, &master->ibi_work is bound with svc_i3c_master_ibi_work. And svc_i3c_master_ibi_work can start the hj_work, svc_i3c_master_irq_handler can start the ibi_work. If we remove the module which will call svc_i3c_master_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | svc_i3c_master_hj_work svc_i3c_master_remove | i3c_master_unregister(&master->base)| device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base Fix it by ensuring that the work is canceled before proceeding with the cleanup in svc_i3c_master_remove. Fixes: 0f74f8b6675c ("i3c: Make i3c_master_unregister() return void") Cc: stable@vger.kernel.org Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> --- v3: - add the tag "Cc: stable@vger.kernel.org" in the sign-off area - Link to v2: https://lore.kernel.org/r/20240914154030.180-1-kxwang23@m.fudan.edu.cn v2: - add fixes tag and cc stable, suggested by Frank - add Reviewed-by label from Miquel - Link to v1: https://lore.kernel.org/r/20240911150135.839946-1-kxwang23@m.fudan.edu.cn --- drivers/i3c/master/svc-i3c-master.c | 1 + 1 file changed, 1 insertion(+)