From patchwork Mon Oct 31 10:02:45 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Takashi Iwai <tiwai@suse.de>
X-Patchwork-Id: 13182
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp2221412wru;
        Mon, 31 Oct 2022 03:07:54 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM7p98+Ry7y+lTmaBtGWg48m5AIL/z6iqPRtOwxRM/ShtWsCr9jkNzGN0JXbWoaKHJodOEhe
X-Received: by 2002:a17:906:2543:b0:7ad:d164:bc73 with SMTP id
 j3-20020a170906254300b007add164bc73mr4374465ejb.210.1667210874546;
        Mon, 31 Oct 2022 03:07:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1667210874; cv=none;
        d=google.com; s=arc-20160816;
        b=0KXd/U+NMNyJNLupvT172pPljy+98kCIGy3GVxgf2voRYY6u+e8XKXHew4bWXlcJtN
         UWDbu8SENEZKjpZenzXoBMwjxh6zXR/MXs18I+8W9r8IzlN4Jeluzbg9bFzZ9cIWOLmW
         FZAFTFgoYadfd3JOQA2vuSg+RpoPuYG/L4FYou3/0tUwAuPUiaXdEZDcdwLkf8pjZnIb
         eKMDb+920ljcxqyz6hYhTV6u2U7NXXckQA45ACaYZhlHxhbCRTrA73oHSNKr6lrm4EzR
         xcOWSKHmh11jW1MRcwYwCWnHgrYJ1HCO9ekibOUUsycMv9e4B9nrvP4KMNmco13Og5Nx
         wbhg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature:dkim-signature;
        bh=mG8miN6fTybhiCNoskosNwj4AqwBA6DZ0YczEenlttw=;
        b=0KMfSlt8QyjzOUin+lAodjw2gTYoM9YVIuFNMs1cQHlchFV78m43OmrAk0Svw/0ZwG
         in9XMXjSNeIEks8fE9JufrNXNvm1Dlm8lyqMKo/xWNCwADa87cZs+PjhB764Ab+T33FQ
         ZJyTQVN0wfobHLzPZCWR6bC+VsNY5letGK6vyNYXrvq74Aw1lpiWYMPPlrFEpYnh4748
         lfUlnDCCzP/SDRf9hIaYfafzoYvgrH83FAzplxLFZlTMn1l9R+g8I63SsGQBkFtYYWdB
         Idx2U7OxFAk+xFAmqKETGj8ZFH8SNnOeFoesUCAosfyiZ1IlUTNlLqGHQbTc7MbLRvgF
         u64Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=LxD0YS+Q;
       dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519
 header.b=O2pdObOs;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 z12-20020a05640240cc00b004593fb0c125si8376198edb.103.2022.10.31.03.07.30;
        Mon, 31 Oct 2022 03:07:54 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=LxD0YS+Q;
       dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519
 header.b=O2pdObOs;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229792AbiJaKCw (ORCPT <rfc822;kartikey406@gmail.com>
        + 99 others); Mon, 31 Oct 2022 06:02:52 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59602 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229505AbiJaKCv (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 31 Oct 2022 06:02:51 -0400
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7CB44DF1E;
        Mon, 31 Oct 2022 03:02:50 -0700 (PDT)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
 [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest
 SHA512)
        (No client certificate requested)
        by smtp-out2.suse.de (Postfix) with ESMTPS id 2F3911F91D;
        Mon, 31 Oct 2022 10:02:49 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_rsa;
        t=1667210569;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:
  content-transfer-encoding:content-transfer-encoding;
        bh=mG8miN6fTybhiCNoskosNwj4AqwBA6DZ0YczEenlttw=;
        b=LxD0YS+Q59489qydjVUydT37nfwSsu2PMKlO05VJTKUKvSziP8+f6Yo9TnSKvixULtO4Dd
        5PsHyBd98kspKs9E3h3GTvUHrKTLPA3BeTw63Qoy2jpmJsDXilZ8uXD4+K2CCuQOZEQL3Q
        WtIFLiv/DryCXXX+HPBra3moLPoLZF8=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
        s=susede2_ed25519; t=1667210569;
        h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:
  content-transfer-encoding:content-transfer-encoding;
        bh=mG8miN6fTybhiCNoskosNwj4AqwBA6DZ0YczEenlttw=;
        b=O2pdObOshKEXJoLcsOnHFkdkGcxdFLObcAXDgGdqTv+ine9oS5Rk0eeXbRwVVO16FSrZ9w
        Vp1TOAmgUBAXFAAg==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
 [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest
 SHA512)
        (No client certificate requested)
        by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 0B2B013451;
        Mon, 31 Oct 2022 10:02:49 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
        by imap2.suse-dmz.suse.de with ESMTPSA
        id BKkWAkmdX2PPbQAAMHmgww
        (envelope-from <tiwai@suse.de>); Mon, 31 Oct 2022 10:02:49 +0000
From: Takashi Iwai <tiwai@suse.de>
To: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Hyunwoo Kim <imv4bel@gmail.com>, linux-media@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: [PATCH RE-SEND] media: dvb-core: Fix UAF due to refcount races at
 releasing
Date: Mon, 31 Oct 2022 11:02:45 +0100
Message-Id: <20221031100245.23702-1-tiwai@suse.de>
X-Mailer: git-send-email 2.35.3
MIME-Version: 1.0
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
        SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1748197310027278664?=
X-GMAIL-MSGID: =?utf-8?q?1748197310027278664?=

The dvb-core tries to sync the releases of opened files at
dvb_dmxdev_release() with two refcounts: dvbdev->users and
dvr_dvbdev->users.  A problem is present in those two syncs: when yet
another dvb_demux_open() is called during those sync waits,
dvb_demux_open() continues to process even if the device is being
closed.  This includes the increment of the former refcount, resulting
in the leftover refcount after the sync of the latter refcount at
dvb_dmxdev_release().  It ends up with use-after-free, since the
function believes that all usages were gone and releases the
resources.

This patch addresses the problem by adding the check of dmxdev->exit
flag at dvb_demux_open(), just like dvb_dvr_open() already does.  With
the exit flag check, the second call of dvb_demux_open() fails, hence
the further corruption can be avoided.

Also for avoiding the races of the dmxdev->exit flag reference, this
patch serializes the dmxdev->exit set up and the sync waits with the
dmxdev->mutex lock at dvb_dmxdev_release().  Without the mutex lock,
dvb_demux_open() (or dvb_dvr_open()) may run concurrently with
dvb_dmxdev_release(), which allows to skip the exit flag check and
continue the open process that is being closed.

CVE-2022-41218 is assigned to those bugs above.

Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/20220908132754.30532-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---

Since the previous submission has been ignored, this is a resend.
CVE number and the original submission link were added.

 drivers/media/dvb-core/dmxdev.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
index f6ee678107d3..9ce5f010de3f 100644
--- a/drivers/media/dvb-core/dmxdev.c
+++ b/drivers/media/dvb-core/dmxdev.c
@@ -790,6 +790,11 @@ static int dvb_demux_open(struct inode *inode, struct file *file)
 	if (mutex_lock_interruptible(&dmxdev->mutex))
 		return -ERESTARTSYS;
 
+	if (dmxdev->exit) {
+		mutex_unlock(&dmxdev->mutex);
+		return -ENODEV;
+	}
+
 	for (i = 0; i < dmxdev->filternum; i++)
 		if (dmxdev->filter[i].state == DMXDEV_STATE_FREE)
 			break;
@@ -1448,7 +1453,10 @@ EXPORT_SYMBOL(dvb_dmxdev_init);
 
 void dvb_dmxdev_release(struct dmxdev *dmxdev)
 {
+	mutex_lock(&dmxdev->mutex);
 	dmxdev->exit = 1;
+	mutex_unlock(&dmxdev->mutex);
+
 	if (dmxdev->dvbdev->users > 1) {
 		wait_event(dmxdev->dvbdev->wait_queue,
 				dmxdev->dvbdev->users == 1);