fbdev: smscufx: Fix use-after-free in ufx_ops_open()

mainline inclusion from mainline-v6.0-rc1 commit 5610bcfe category: bugfix bugzilla: 187798, https://gitee.com/src-openeuler/kernel/issues/I5U1NZ CVE: CVE-2022-41849 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs?id=5610bcfe8693c02e2e4c8b31427f1bdbdecc839c --------------------------- A race condition may occur if the user physically removes the USB device while calling open() for this device node. This is a race condition between the ufx_ops_open() function and the ufx_usb_disconnect() function, which may eventually result in UAF. So, add a mutex to the ufx_ops_open() and ufx_usb_disconnect() functions to avoid race contidion of krefs. Signed-off-by: N Hyunwoo Kim <imv4bel@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: N Helge Deller <deller@gmx.de> Signed-off-by: N ChenXiaoSong <chenxiaosong2@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: N Jason Yan <yanaijie@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

fbdev: smscufx: Fix use-after-free in ufx_ops_open()
mainline inclusion from mainline-v6.0-rc1 commit 5610bcfe category: bugfix bugzilla: 187798, https://gitee.com/src-openeuler/kernel/issues/I5U1NZ CVE: CVE-2022-41849 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs?id=5610bcfe8693c02e2e4c8b31427f1bdbdecc839c --------------------------- A race condition may occur if the user physically removes the USB device while calling open() for this device node. This is a race condition between the ufx_ops_open() function and the ufx_usb_disconnect() function, which may eventually result in UAF. So, add a mutex to the ufx_ops_open() and ufx_usb_disconnect() functions to avoid race contidion of krefs. Signed-off-by: N Hyunwoo Kim <imv4bel@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: N Helge Deller <deller@gmx.de> Signed-off-by: N ChenXiaoSong <chenxiaosong2@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: N Jason Yan <yanaijie@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
6817fefc · Hyunwoo Kim · Zheng Zengkai · fcddf02a · 6817fefc
隐藏空白更改
内联并排

Showing with 13 addition and 1 deletion

drivers/video/fbdev/smscufx.c drivers/video/fbdev/smscufx.c +13 -1

未找到文件。
--- a/drivers/video/fbdev/smscufx.c
+++ b/drivers/video/fbdev/smscufx.c
@@ -137,6 +137,8 @@ static int ufx_submit_urb(struct ufx_data *dev, struct urb * urb, size_t len);
 static int ufx_alloc_urb_list(struct ufx_data *dev, int count, size_t size);
 static void ufx_free_urb_list(struct ufx_data *dev);

+static DEFINE_MUTEX(disconnect_mutex);
+
 /* reads a control register */
 static int ufx_reg_read(struct ufx_data *dev, u32 index, u32 *data)
 {
@@ -1070,9 +1072,13 @@ static int ufx_ops_open(struct fb_info *info, int user)
 	if (user == 0 && !console)
 		return -EBUSY;

+	mutex_lock(&disconnect_mutex);
+
 	/* If the USB device is gone, we don't accept new opens */
-	if (dev->virtualized)
+	if (dev->virtualized) {
+		mutex_unlock(&disconnect_mutex);
 		return -ENODEV;
+	}

 	dev->fb_count++;

@@ -1096,6 +1102,8 @@ static int ufx_ops_open(struct fb_info *info, int user)
 	pr_debug("open /dev/fb%d user=%d fb_info=%p count=%d",
 		info->node, user, info, dev->fb_count);

+	mutex_unlock(&disconnect_mutex);
+
 	return 0;
 }

@@ -1740,6 +1748,8 @@ static void ufx_usb_disconnect(struct usb_interface *interface)
 {
 	struct ufx_data *dev;

+	mutex_lock(&disconnect_mutex);
+
 	dev = usb_get_intfdata(interface);

 	pr_debug("USB disconnect starting\n");
@@ -1760,6 +1770,8 @@ static void ufx_usb_disconnect(struct usb_interface *interface)
 	kref_put(&dev->kref, ufx_free);

 	/* consider ufx_data freed */
+
+	mutex_unlock(&disconnect_mutex);
 }

 static struct usb_driver ufx_driver = {