| Description: | In the Linux kernel, the following vulnerability has been resolved:
uio: Fix use-after-free in uio_open core-1 core-2
-------------------------------------------------------
uio_unregister_device uio_open idev = idr_find()
device_unregister(&idev->dev) put_device(&idev->dev)
uio_device_release get_device(&idev->dev) kfree(idev)
uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev)
------------------------------------------------------- In the core-1
uio_unregister_device(), the device_unregister will kfree idev when
the idev->dev kobject ref is 1. But after core-1 device_unregister,
put_device and before doing kfree, the core-2 may get_device. Then: 1.
After core-1 kfree idev, the core-2 will do use-after-free for idev.
2. When core-2 do uio_release and put_device, the idev will be double
freed. To address this issue, we can get idev atomic & inc idev
reference with minor_lock.
|
