Bug 1211548 - VUL-0: kernel: drivers/staging/media/sunxi/cedrus/cedrus.c: Use after free bug in cedrus_remove due to race condition
Summary: VUL-0: kernel: drivers/staging/media/sunxi/cedrus/cedrus.c: Use after free bu...
Status: RESOLVED UPSTREAM
Alias: None
Product: PUBLIC SUSE Linux Enterprise Desktop 15 SP5
Classification: openSUSE
Component: Security (show other bugs)
Version: unspecified
Hardware: x86-64 openSUSE Leap 15.4
: P4 - Low : Minor
Target Milestone: ---
Assignee: openSUSE Kernel Bugs
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-05-19 09:09 UTC by Zheng Wang
Modified: 2023-05-26 08:02 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Zheng Wang 2023-05-19 09:09:21 UTC 
In cedrus_probe, dev->watchdog_work is bound with cedrus_watchdog function.
In cedrus_device_run, it will started by schedule_delayed_work. If there is
an unfinished work in cedrus_remove, there may be a race condition and
trigger UAF bug.

CPU0                  CPU1

                    |cedrus_watchdog
cedrus_remove       |
  v4l2_m2m_release  |
  kfree(m2m_dev)    |
                    |
                    | v4l2_m2m_get_curr_priv
                    |   m2m_dev //use

This bug has been repaired in upstream and reported to Redhat. Could you please assigne a CVE with this issue? Best wishes.
Comment 2 Zheng Wang 2023-05-21 00:42:08 UTC 
(In reply to Andreas Stieger from comment #1)
> https://lore.kernel.org/lkml/20230308032333.1893394-1-zyytlz.wz@163.com/
> https://lore.kernel.org/lkml/20230313163120.3741811-1-zyytlz.wz@163.com/
> https://patchwork.kernel.org/project/linux-media/patch/20230313163120.
> 3741811-1-zyytlz.wz@163.com/
> 
> Code appeared in 5.18.
> 
> > CONFIG_VIDEO_SUNXI_CEDRUS=m
> 
> https://github.com/SUSE/kernel-source/commit/
> 396dcff8ec2df93f48d0547e5163b93d5e715f57
> https://github.com/SUSE/kernel-source/commit/
> 5685b1d965d871b1a4681cc881d1f225141ab9a4
> 
> needinfo security for CVE request.

Thanks for your bitsec,I think the CVE description might be : 

The Linux kernel through 5.18 has a race condition and resultant use-after-free in  drivers/staging/media/sunxi/cedrus/cedrus.c if a physically proximate attacker unplugs a device.

Credit Info:

Zheng Wang(@xmzyshypnc), Zhuorao Yang(@A1ex), Yang Hu(@BlueSheep) and
Zong Cao(@P1umer)
Comment 3 Andreas Stieger 2023-05-21 06:53:14 UTC 
Description is wrong: from 5.18 (7c38a55) to before 6.4 (50d0a7a). A CVE might be overkill here. Is there any reason why you are contacting SUSE directly, other than wanting a CVE assigned?
Comment 4 Zheng Wang 2023-05-21 07:52:34 UTC 
(In reply to Andreas Stieger from comment #3)
> Description is wrong: from 5.18 (7c38a55) to before 6.4 (50d0a7a). A CVE
> might be overkill here. Is there any reason why you are contacting SUSE
> directly, other than wanting a CVE assigned?

Thanks for your correctness.There's many similar CVEs before,so I think it's reasonable to assign it with a CVE number.I contact the SUSE to solve the issue and avoid possible exploit.

Best regards,
Zheng
Comment 5 Marcus Meissner 2023-05-26 08:02:13 UTC 
We currently would not consider this a security issue.

This seems a system-on-a-chip driver and I think an attacker cannot pretend it to be hotplugged in any form.

SUSE will not request a CVE for this.