Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 2 Mar 2023 08:56:46 +0800 (GMT+08:00)
Subject: Linux kernel: CVE-2023-1118: UAF vulnerabilities in
 "drivers/media/rc" directory

Hello there,

There are use-after-free vulnerabilities in drivers/media/rc/ene_ir.c of linux that
allow attacker to crash linux kernel without any privilege by detaching rc device.

=*=*=*=*=*=*=*=*=  Bug Details  =*=*=*=*=*=*=*=*=

When the rc device is detaching, function ene_remove() will be called.
But the synchronizations in ene_remove() are bad. The situations that 
may lead to race conditions are shown below.

Firstly, the rx receiver is disabled with ene_rx_disable()
before rc_unregister_device() in ene_remove(), which means it
can be enabled again if a process opens /dev/lirc0 between
ene_rx_disable() and rc_unregister_device().

    (cleanup routine)      |        (open routine)
ene_remove()               | 
  ene_rx_disable(dev);     | ene_open()
                           |   ene_rx_enable(dev); //re-enable!

Secondly, the irqaction descriptor is freed by free_irq()
before the rc device is unregistered, which means irqaction
descriptor may be accessed again after it is deallocated.

    (free routine)                |        (use routine)
ene_remove()                      | ene_rx_enable()
  free_irq(dev->irq, ...); //FREE |   ene_rx_enable_hw()
                                  |     ene_write_reg(..., dev->irq << 1) //USE

Thirdly, the timer can call ene_tx_sample() that can write
to the io ports, which means the io ports could be accessed
again after they are deallocated by release_region().

    (free routine)                        |        (use routine)
ene_remove()                              | ene_tx_sample()
  release_region(dev->hw_io, ...); //FREE |   ene_write_reg()
                                          |     outb(..., dev->hw_io + ENE_IO) //USE

Fourthly, there is no function to cancel tx_sim_timer in ene_remove(),
the timer handler ene_tx_irqsim() could race with ene_remove(). 
As a result, the UAF bugs could happen, the process is shown below.

    (free routine)             |        (use routine)
                               | mod_timer(&dev->tx_sim_timer, ..)
ene_remove()                   | (wait a time)
  kfree(dev) //FREE            | ene_tx_irqsim()
                               |   dev->hw_lock //USE
                               |   ene_tx_sample(dev) //USE

=*=*=*=*=*=*=*=*=  Bug Effects  =*=*=*=*=*=*=*=*=

The vulnerabilities could crash the kernel and cause denial-of-service by detaching rc device.

=*=*=*=*=*=*=*=*=  Bug Fix  =*=*=*=*=*=*=*=*=*=*=

The patch that have been applied to mainline Linux kernel is shown below.

=*=*=*=*=*=*=*=*=  Timeline  =*=*=*=*=*=*=*=*=*=

2023-02-08: commit 29b0589a865b was accepted to mainline kernel
2023-03-01: CVE-2023-1118 was assigned by redhat.

=*=*=*=*=*=*=*=*=  Credit  =*=*=*=*=*=*=*=*=

Duoming Zhou <>

Best Regards,
Duoming Zhou

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.