Description
In the Linux kernel, the following vulnerability has been resolved: media: hackrf: fix to not free memory after the device is registered in hackrf_probe() In hackrf driver, the following race condition occurs: ``` CPU0 CPU1 hackrf_probe() kzalloc(); // alloc hackrf_dev .... v4l2_device_register(); .... fd = sys_open("/path/to/dev"); // open hackrf fd .... v4l2_device_unregister(); .... kfree(); // free hackrf_dev .... sys_ioctl(fd, ...); v4l2_ioctl(); video_is_registered() // UAF!! .... sys_close(fd); v4l2_release() // UAF!! hackrf_video_release() kfree(); // DFB!! ``` When a V4L2 or video device is unregistered, the device node is removed so new open() calls are blocked. However, file descriptors that are already open-and any in-flight I/O-do not terminate immediately; they remain valid until the last reference is dropped and the driver's release() is invoked. Therefore, freeing device memory on the error path after hackrf_probe() has registered dev it will lead to a race to use-after-free vuln, since those already-open handles haven't been released yet. And since release() free memory too, race to use-after-free and double-free vuln occur. To prevent this, if device is registered from probe(), it should be modified to free memory only through release() rather than calling kfree() directly.
Product status
8bc4a9ed85046c214458c9e82aea75d2f46cfffd (git) before 87b9685cca91ed715c39ba544715832d26a7f4b4
8bc4a9ed85046c214458c9e82aea75d2f46cfffd (git) before 131ec9046e1c8af101aebdaec4e8095e05f3312b
8bc4a9ed85046c214458c9e82aea75d2f46cfffd (git) before 67fd62e3efdc9dce01f76d95a745212f4feb38e6
8bc4a9ed85046c214458c9e82aea75d2f46cfffd (git) before 45cbaf5c7cdc5386d86377f0daf94a17a007fed0
8bc4a9ed85046c214458c9e82aea75d2f46cfffd (git) before 98a0a81ce78020c2522e0046f49d200de9778cb9
8bc4a9ed85046c214458c9e82aea75d2f46cfffd (git) before 07e9e674b6146b1f6fc41b1f54b8968bf2802824
8bc4a9ed85046c214458c9e82aea75d2f46cfffd (git) before 2145c71a8044362e82e9923f001ba2aeb771b848
8bc4a9ed85046c214458c9e82aea75d2f46cfffd (git) before fcd1d70792a35c8a97414fe429f48311e41269c2
8bc4a9ed85046c214458c9e82aea75d2f46cfffd (git) before 3b7da2b4d0fe014eff181ed37e3bf832eb8ed258
4.4
Any version before 4.4
5.10.258 (semver)
5.15.209 (semver)
6.1.175 (semver)
6.6.136 (semver)
6.12.83 (semver)
6.18.24 (semver)
6.19.14 (semver)
7.0.1 (semver)
7.1-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/87b9685cca91ed715c39ba544715832d26a7f4b4
git.kernel.org/...c/131ec9046e1c8af101aebdaec4e8095e05f3312b
git.kernel.org/...c/67fd62e3efdc9dce01f76d95a745212f4feb38e6
git.kernel.org/...c/45cbaf5c7cdc5386d86377f0daf94a17a007fed0
git.kernel.org/...c/98a0a81ce78020c2522e0046f49d200de9778cb9
git.kernel.org/...c/07e9e674b6146b1f6fc41b1f54b8968bf2802824
git.kernel.org/...c/2145c71a8044362e82e9923f001ba2aeb771b848
git.kernel.org/...c/fcd1d70792a35c8a97414fe429f48311e41269c2
git.kernel.org/...c/3b7da2b4d0fe014eff181ed37e3bf832eb8ed258