Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]media: rc: fix races with imon_disconnect()[EOL][EOL]Syzbot reports a KASAN issue as below:[EOL]BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline][EOL]BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627[EOL]Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465[EOL][EOL]CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0[EOL]Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014[EOL]Call Trace:[EOL] <TASK>[EOL]__dump_stack lib/dump_stack.c:88 [inline][EOL]dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106[EOL]print_address_description mm/kasan/report.c:317 [inline][EOL]print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433[EOL]kasan_report+0xb1/0x1e0 mm/kasan/report.c:495[EOL]__create_pipe include/linux/usb.h:1945 [inline][EOL]send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627[EOL]vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991[EOL]vfs_write+0x2d7/0xdd0 fs/read_write.c:576[EOL]ksys_write+0x127/0x250 fs/read_write.c:631[EOL]do_syscall_x64 arch/x86/entry/common.c:50 [inline][EOL]do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80[EOL]entry_SYSCALL_64_after_hwframe+0x63/0xcd[EOL][EOL]The iMON driver improperly releases the usb_device reference in[EOL]imon_disconnect without coordinating with active users of the[EOL]device.[EOL][EOL]Specifically, the fields usbdev_intf0 and usbdev_intf1 are not[EOL]protected by the users counter (ictx->users). During probe,[EOL]imon_init_intf0 or imon_init_intf1 increments the usb_device[EOL]reference count depending on the interface. However, during[EOL]disconnect, usb_put_dev is called unconditionally, regardless of[EOL]actual usage.[EOL][EOL]As a result, if vfd_write or other operations are still in[EOL]progress after disconnect, this can lead to a use-after-free of[EOL]the usb_device pointer.[EOL][EOL]Thread 1 vfd_write                      Thread 2 imon_disconnect[EOL]                                        ...[EOL]                                        if[EOL]                                          usb_put_dev(ictx->usbdev_intf0)[EOL]                                        else[EOL]                                          usb_put_dev(ictx->usbdev_intf1)[EOL]...[EOL]while[EOL]  send_packet[EOL]    if[EOL]      pipe = usb_sndintpipe([EOL]        ictx->usbdev_intf0) UAF[EOL]    else[EOL]      pipe = usb_sndctrlpipe([EOL]        ictx->usbdev_intf0, 0) UAF[EOL][EOL]Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by[EOL]checking ictx->disconnected in all writer paths. Add early return[EOL]with -ENODEV in send_packet(), vfd_write(), lcd_write() and[EOL]display_open() if the device is no longer present.[EOL][EOL]Set and read ictx->disconnected under ictx->lock to ensure memory[EOL]synchronization. Acquire the lock in imon_disconnect() before setting[EOL]the flag to synchronize with any ongoing operations.[EOL][EOL]Ensure writers exit early and safely after disconnect before the USB[EOL]core proceeds with cleanup.[EOL][EOL]Found by Linux Verification Center (linuxtesting.org) with Syzkaller.