Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp650235rwn; Thu, 8 Sep 2022 07:03:26 -0700 (PDT) X-Google-Smtp-Source: AA6agR7MPnMwZSCpSEIG6GrDkUgfn5FpZn0tyE27RdZndacvBFVTimmGQEJOSpLM6fbu+1DR2sXn X-Received: by 2002:a17:907:762c:b0:73d:e163:70cf with SMTP id jy12-20020a170907762c00b0073de16370cfmr6004855ejc.694.1662645806655; Thu, 08 Sep 2022 07:03:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662645806; cv=none; d=google.com; s=arc-20160816; b=uGF0iV0E2oBzHJl7j6px0qDz8p+n9wNwWF3V0pyPYjL4TCHyWBV8FeN3ZHiOqO2l3F xqZZH325meebxd7+JUT01g7XQk+2MKcQqCBXCB8bPbB6JssYhqXWRhTIYK4H7AXUZ5r6 Le7uxnnias6Lp8Bpc5SycB0chSiJCCubsjzH9ORDZMa9+xW3+J8g8+D4UDwV2HbLS59c 9pgLWQc+eJpY8o3T8rwz6DPFoil3QGaU/JSqYRf6+b4ccUVti6zuK7kHBL5Ebv+GvxKz EY8F1481AGQOe8m0f9b3m/1ddpf+RP3Sq0hqXRI1J8vhgIAJZSS9z81ibRpPM6LcdJt9 sUHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-signature; bh=RT1Gz4wymCZ1ojdUPXrz4U4ocZ5NWI6wjKo7CZqGIrs=; b=FRTcJzLKI5d5QHXDB77XrpmvWxW/bOEWgnYGKXx/BfkImndC+8nybTOpM/18IGXJLQ YrVKJHBr8vFlQTWYqnTNWMzBLafZqqSjIBUNNI7/iGPf68DVzoRtmMGilhNX4TyyxC96 wtBM/fhtcNYYAhTqt8BErMkNzPgfFYLDFXxNyuBQjuMApwtYydJvX0/rtZbpSvTOjqAn 3KRkQJh1ZhIVOll8prk7FTuwcLdnwVAaotmpXtDs1y6llsDQnS/R1w3VfcAGk6faLJtZ iZppYwR6aI+JfNuq/eGBI1siMioRGRGFyTD0+YaMOo8Jp2gScu0AetmLGhrwnQD+scBA 5nQA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=QKUuRXlj; dkim=neutral (no key) header.i=@suse.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z18-20020a1709060f1200b0073d88927a49si1697790eji.124.2022.09.08.07.02.57; Thu, 08 Sep 2022 07:03:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=QKUuRXlj; dkim=neutral (no key) header.i=@suse.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231848AbiIHN2o (ORCPT + 99 others); Thu, 8 Sep 2022 09:28:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50500 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232254AbiIHN2E (ORCPT ); Thu, 8 Sep 2022 09:28:04 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2001:67c:2178:6::1c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BC3DF5F7D2; Thu, 8 Sep 2022 06:28:03 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 6298D336C8; Thu, 8 Sep 2022 13:28:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1662643682; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=RT1Gz4wymCZ1ojdUPXrz4U4ocZ5NWI6wjKo7CZqGIrs=; b=QKUuRXljHkhnThKconKWnu3w89IVetA1k2oIs8aEZNSkSrE47Qt+G40lJI/ROZGIuztw0G BsuiQaOKwP46XCQq7HZzidmXeKu6UNHJGRzxGxnQN0Wn2nAO6e5FV92+hr3aByTxbNs/f3 58gB4cpqaDHx6G7Cdjp6kE+IPoOEsf0= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1662643682; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=RT1Gz4wymCZ1ojdUPXrz4U4ocZ5NWI6wjKo7CZqGIrs=; b=HWfoRL2qVTqZOlpai0zE2nEuChRMg5C97vQGZBO585Vk4z7n92dXDj6tNHDmkO7YL5jskU qbNBYfEZMx7+gXAg== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 3E36A1322C; Thu, 8 Sep 2022 13:28:02 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id OkmNDuLtGWMxPQAAMHmgww (envelope-from ); Thu, 08 Sep 2022 13:28:02 +0000 From: Takashi Iwai To: Mauro Carvalho Chehab Cc: Hyunwoo Kim , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] media: dvb-core: Fix UAF due to refcount races at releasing Date: Thu, 8 Sep 2022 15:27:54 +0200 Message-Id: <20220908132754.30532-1-tiwai@suse.de> X-Mailer: git-send-email 2.35.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The dvb-core tries to sync the releases of opened files at dvb_dmxdev_release() with two refcounts: dvbdev->users and dvr_dvbdev->users. A problem is present in those two syncs: when yet another dvb_demux_open() is called during those sync waits, dvb_demux_open() continues to process even if the device is being closed. This includes the increment of the former refcount, resulting in the leftover refcount after the sync of the latter refcount at dvb_dmxdev_release(). It ends up with use-after-free, since the function believes that all usages were gone and releases the resources. This patch addresses the problem by adding the check of dmxdev->exit flag at dvb_demux_open(), just like dvb_dvr_open() already does. With the exit flag check, the second call of dvb_demux_open() fails, hence the further corruption can be avoided. Also for avoiding the races of the dmxdev->exit flag reference, this patch serializes the dmxdev->exit set up and the sync waits with the dmxdev->mutex lock at dvb_dmxdev_release(). Without the mutex lock, dvb_demux_open() (or dvb_dvr_open()) may run concurrently with dvb_dmxdev_release(), which allows to skip the exit flag check and continue the open process that is being closed. Reported-by: Hyunwoo Kim Cc: Signed-off-by: Takashi Iwai --- drivers/media/dvb-core/dmxdev.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c index f6ee678107d3..9ce5f010de3f 100644 --- a/drivers/media/dvb-core/dmxdev.c +++ b/drivers/media/dvb-core/dmxdev.c @@ -790,6 +790,11 @@ static int dvb_demux_open(struct inode *inode, struct file *file) if (mutex_lock_interruptible(&dmxdev->mutex)) return -ERESTARTSYS; + if (dmxdev->exit) { + mutex_unlock(&dmxdev->mutex); + return -ENODEV; + } + for (i = 0; i < dmxdev->filternum; i++) if (dmxdev->filter[i].state == DMXDEV_STATE_FREE) break; @@ -1448,7 +1453,10 @@ EXPORT_SYMBOL(dvb_dmxdev_init); void dvb_dmxdev_release(struct dmxdev *dmxdev) { + mutex_lock(&dmxdev->mutex); dmxdev->exit = 1; + mutex_unlock(&dmxdev->mutex); + if (dmxdev->dvbdev->users > 1) { wait_event(dmxdev->dvbdev->wait_queue, dmxdev->dvbdev->users == 1); -- 2.35.3