Bug 1211548

Summary:	VUL-0: kernel: drivers/staging/media/sunxi/cedrus/cedrus.c: Use after free bug in cedrus_remove due to race condition
Product:	[openSUSE] PUBLIC SUSE Linux Enterprise Desktop 15 SP5	Reporter:	Zheng Wang <hackerzheng666>
Component:	Security	Assignee:	openSUSE Kernel Bugs <kernel-bugs>
Status:	RESOLVED UPSTREAM	QA Contact:	Security Team bot <security-team>
Severity:	Minor
Priority:	P4 - Low	CC:	Andreas.Stieger, security-team, tiwai
Version:	unspecified
Target Milestone:	---
Hardware:	x86-64
OS:	openSUSE Leap 15.4
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Zheng Wang 2023-05-19 09:09:21 UTC

In cedrus_probe, dev->watchdog_work is bound with cedrus_watchdog function.
In cedrus_device_run, it will started by schedule_delayed_work. If there is
an unfinished work in cedrus_remove, there may be a race condition and
trigger UAF bug.

CPU0                  CPU1

                    |cedrus_watchdog
cedrus_remove       |
  v4l2_m2m_release  |
  kfree(m2m_dev)    |
                    |
                    | v4l2_m2m_get_curr_priv
                    |   m2m_dev //use

This bug has been repaired in upstream and reported to Redhat. Could you please assigne a CVE with this issue? Best wishes.

Comment 1 Andreas Stieger 2023-05-20 18:41:16 UTC

https://lore.kernel.org/lkml/20230308032333.1893394-1-zyytlz.wz@163.com/
https://lore.kernel.org/lkml/20230313163120.3741811-1-zyytlz.wz@163.com/
https://patchwork.kernel.org/project/linux-media/patch/20230313163120.3741811-1-zyytlz.wz@163.com/

Code appeared in 5.18.

> CONFIG_VIDEO_SUNXI_CEDRUS=m

https://github.com/SUSE/kernel-source/commit/396dcff8ec2df93f48d0547e5163b93d5e715f57
https://github.com/SUSE/kernel-source/commit/5685b1d965d871b1a4681cc881d1f225141ab9a4

needinfo security for CVE request.

Comment 2 Zheng Wang 2023-05-21 00:42:08 UTC

(In reply to Andreas Stieger from comment #1)
> https://lore.kernel.org/lkml/20230308032333.1893394-1-zyytlz.wz@163.com/
> https://lore.kernel.org/lkml/20230313163120.3741811-1-zyytlz.wz@163.com/
> https://patchwork.kernel.org/project/linux-media/patch/20230313163120.
> 3741811-1-zyytlz.wz@163.com/
> 
> Code appeared in 5.18.
> 
> > CONFIG_VIDEO_SUNXI_CEDRUS=m
> 
> https://github.com/SUSE/kernel-source/commit/
> 396dcff8ec2df93f48d0547e5163b93d5e715f57
> https://github.com/SUSE/kernel-source/commit/
> 5685b1d965d871b1a4681cc881d1f225141ab9a4
> 
> needinfo security for CVE request.

Thanks for your bitsec，I think the CVE description might be : 

The Linux kernel through 5.18 has a race condition and resultant use-after-free in  drivers/staging/media/sunxi/cedrus/cedrus.c if a physically proximate attacker unplugs a device.

Credit Info:

Zheng Wang(@xmzyshypnc), Zhuorao Yang(@A1ex), Yang Hu(@BlueSheep) and
Zong Cao(@P1umer)

Comment 3 Andreas Stieger 2023-05-21 06:53:14 UTC

Description is wrong: from 5.18 (7c38a55) to before 6.4 (50d0a7a). A CVE might be overkill here. Is there any reason why you are contacting SUSE directly, other than wanting a CVE assigned?

Comment 4 Zheng Wang 2023-05-21 07:52:34 UTC

(In reply to Andreas Stieger from comment #3)
> Description is wrong: from 5.18 (7c38a55) to before 6.4 (50d0a7a). A CVE
> might be overkill here. Is there any reason why you are contacting SUSE
> directly, other than wanting a CVE assigned?

Thanks for your correctness.There's many similar CVEs before,so I think it's reasonable to assign it with a CVE number.I contact the SUSE to solve the issue and avoid possible exploit.

Best regards,
Zheng

Comment 5 Marcus Meissner 2023-05-26 08:02:13 UTC

We currently would not consider this a security issue.

This seems a system-on-a-chip driver and I think an attacker cannot pretend it to be hotplugged in any form.

SUSE will not request a CVE for this.