CVE-2024-43900

In the Linux kernel, the following vulnerability has been resolved: media: xc2028: avoid use-after-free in load_firmware_cb() syzkaller reported use-after-free in load_firmware_cb() [1]. The reason is because the module allocated a struct tuner in tuner_probe(), and then the module initialization failed, the struct tuner was released. A worker which created during module initialization accesses this struct tuner later, it caused use-after-free. The process is as follows: task-6504 worker_thread tuner_probe <= alloc dvb_frontend [2] ... request_firmware_nowait <= create a worker ... tuner_remove <= free dvb_frontend ... request_firmware_work_func <= the firmware is ready load_firmware_cb <= but now the dvb_frontend has been freed To fix the issue, check the dvd_frontend in load_firmware_cb(), if it is null, report a warning and just return. [1]: ================================================================== BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0 Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504 Call trace: load_firmware_cb+0x1310/0x17a0 request_firmware_work_func+0x128/0x220 process_one_work+0x770/0x1824 worker_thread+0x488/0xea0 kthread+0x300/0x430 ret_from_fork+0x10/0x20 Allocated by task 6504: kzalloc tuner_probe+0xb0/0x1430 i2c_device_probe+0x92c/0xaf0 really_probe+0x678/0xcd0 driver_probe_device+0x280/0x370 __device_attach_driver+0x220/0x330 bus_for_each_drv+0x134/0x1c0 __device_attach+0x1f4/0x410 device_initial_probe+0x20/0x30 bus_probe_device+0x184/0x200 device_add+0x924/0x12c0 device_register+0x24/0x30 i2c_new_device+0x4e0/0xc44 v4l2_i2c_new_subdev_board+0xbc/0x290 v4l2_i2c_new_subdev+0xc8/0x104 em28xx_v4l2_init+0x1dd0/0x3770 Freed by task 6504: kfree+0x238/0x4e4 tuner_remove+0x144/0x1c0 i2c_device_remove+0xc8/0x290 __device_release_driver+0x314/0x5fc device_release_driver+0x30/0x44 bus_remove_device+0x244/0x490 device_del+0x350/0x900 device_unregister+0x28/0xd0 i2c_unregister_device+0x174/0x1d0 v4l2_device_unregister+0x224/0x380 em28xx_v4l2_init+0x1d90/0x3770 The buggy address belongs to the object at ffff8000d7ca2000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 776 bytes inside of 2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800) The buggy address belongs to the page: page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0 flags: 0x7ff800000000100(slab) raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== [2] Actually, it is allocated for struct tuner, and dvb_frontend is inside.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

27 Aug 2024, 14:38

Type Values Removed Values Added
First Time Linux linux Kernel
Linux
CWE CWE-416
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8
References () https://git.kernel.org/stable/c/208deb6d8c3cb8c3acb1f41eb31cf68ea08726d5 - () https://git.kernel.org/stable/c/208deb6d8c3cb8c3acb1f41eb31cf68ea08726d5 - Patch
References () https://git.kernel.org/stable/c/68594cec291ff9523b9feb3f43fd853dcddd1f60 - () https://git.kernel.org/stable/c/68594cec291ff9523b9feb3f43fd853dcddd1f60 - Patch
References () https://git.kernel.org/stable/c/850304152d367f104d21c77cfbcc05806504218b - () https://git.kernel.org/stable/c/850304152d367f104d21c77cfbcc05806504218b - Patch
References () https://git.kernel.org/stable/c/ef517bdfc01818419f7bd426969a0c86b14f3e0e - () https://git.kernel.org/stable/c/ef517bdfc01818419f7bd426969a0c86b14f3e0e - Patch
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: medio: xc2028: evitar el use-after-free en load_firmware_cb() syzkaller informó el use-after-free en load_firmware_cb() [1]. La razón es que el módulo asignó un sintonizador de estructuras en tuner_probe(), y luego la inicialización del módulo falló, se liberó el sintonizador de estructuras. Un trabajador que creó durante la inicialización del módulo accede a este sintonizador de estructuras más tarde, lo que provocó un use-after-free. El proceso es el siguiente: task-6504 trabajador_thread tuner_probe &lt;= alloc dvb_frontend [2]... request_firmware_nowait &lt;= crear un trabajador... tuner_remove &lt;= free dvb_frontend... request_firmware_work_func &lt;= el firmware está listo load_firmware_cb &lt;= pero ahora el dvb_frontend ha sido liberado. Para solucionar el problema, verifique el dvd_frontend en load_firmware_cb(), si es nulo, informe una advertencia y simplemente regrese. [1]: =============================================== ==================== ERROR: KASAN: use-after-free en load_firmware_cb+0x1310/0x17a0 Lectura de tamaño 8 en la dirección ffff8000d7ca2308 por tarea kworker/2:3/ 6504 Rastreo de llamadas: load_firmware_cb+0x1310/0x17a0 request_firmware_work_func+0x128/0x220 Process_one_work+0x770/0x1824 Workers_thread+0x488/0xea0 kthread+0x300/0x430 ret_from_fork+0x10/0x20 Asignado por tarea 650 4: kzalloc tuner_probe+0xb0/0x1430 i2c_device_probe+0x92c/0xaf0 very_probe+0x678/0xcd0 driver_probe_device+0x280/0x370 __device_attach_driver+0x220/0x330 bus_for_each_drv+0x134/0x1c0 __device_attach+0x1f4/0x410 dispositivo_initial_probe+0x20/0x30 bus_probe_device+0x 184/0x200 dispositivo_add+0x924/0x12c0 registro_dispositivo+0x24/0x30 i2c_new_device+0x4e0/0xc44 v4l2_i2c_new_subdev_board+0xbc/0x290 v4l2_i2c_new_subdev+0xc8/0x104 em28xx_v4l2_init+0x1dd0/0x3770 Liberado por la tarea 6504: kfree+0x238/0x4e4 tuner_remove+0x144/0x1c0 vice_remove+0xc8/0x290 __device_release_driver+0x314/0x5fc dispositivo_release_driver+0x30/0x44 bus_remove_device+0x244/0x490 device_del+0x350/0x900 device_unregister+0x28/0xd0 i2c_unregister_device+0x174/0x1d0 v4l2_device_unregister+0x224/0x380 em28xx_v4l2_init+0x1d90/0x3770 La dirección con errores pertenece al objeto en ffff8000d7ca200 0 que pertenece al caché kmalloc-2k de tamaño 2048 La dirección del error se encuentra 776 bytes dentro de la región de 2048 bytes [ffff8000d7ca2000, ffff8000d7ca2800) La dirección con errores pertenece a la página: página:ffff7fe00035f280 recuento:1 mapcount:0 mapeo:ffff8000c001f000 índice:0x0 banderas: 0x7ff800000000100(slab) : 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000 crudo: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 página volcada porque: kasan: mal acceso detectado Estado de la memoria alrededor de la dirección del error: ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb f b fb fb fb ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb &gt;ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8000d7ca2400: b fb fb fb fb fb fb fb fb fb fb fb fb fb fb ======================================== ============================ [2] En realidad, está asignado para el sintonizador de estructuras y dvb_frontend está dentro.

26 Aug 2024, 11:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-26 11:15

Updated : 2024-08-27 14:38


NVD link : CVE-2024-43900

Mitre link : CVE-2024-43900

CVE.ORG link : CVE-2024-43900


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-416

Use After Free