fbdev: smscufx: Fix use-after-free in ufx_ops_open() (4b472e21) · Commits · Summer2022 / 22b970264

Commit 4b472e21 authored 2 years ago by

Hyunwoo Kim Committed by Yongqiang Liu 2 years ago

fbdev: smscufx: Fix use-after-free in ufx_ops_open()

mainline inclusion
from mainline-v6.0-rc1
commit 5610bcfe8693c02e2e4c8b31427f1bdbdecc839c
category: bugfix
bugzilla: 187798, https://gitee.com/src-openeuler/kernel/issues/I5U1NZ


CVE: CVE-2022-41849

--------------------------------

A race condition may occur if the user physically removes the
USB device while calling open() for this device node.

This is a race condition between the ufx_ops_open() function and
the ufx_usb_disconnect() function, which may eventually result in UAF.

So, add a mutex to the ufx_ops_open() and ufx_usb_disconnect() functions
to avoid race contidion of krefs.

Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

parent edb25e44

No related branches found

No related tags found

No related merge requests found

Hide whitespace changes

Inline Side-by-side

Showing with 13 additions and 1 deletion

Please register or to comment