Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove[EOL][EOL]The original code uses cancel_delayed_work() in flexcop_pci_remove(), which[EOL]does not guarantee that the delayed work item irq_check_work has fully[EOL]completed if it was already running. This leads to use-after-free scenarios[EOL]where flexcop_pci_remove() may free the flexcop_device while irq_check_work[EOL]is still active and attempts to dereference the device.[EOL][EOL]A typical race condition is illustrated below:[EOL][EOL]CPU 0 (remove)                          ( CPU 1 (delayed work callback)[EOL)flexcop_pci_remove()                   | flexcop_pci_irq_check_work()EOL]  cancel_delayed_work()                 ([EOL)  flexcop_device_kfree(fc_pci->fc_dev) |EOL]                                        (   fc = fc_pci->fc_dev; // UAF[EOL)[EOL]This is confirmed by a KASAN report:[EOL][EOL]==================================================================[EOL]BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0[EOL]Write of size 8 at addr ffff8880093aa8c8 by task bash/135[EOL]...[EOL]Call Trace:[EOL] <IRQ>[EOL] dump_stack_lvl+0x55/0x70[EOL] print_report+0xcf/0x610[EOL] ? __run_timer_base.part.0+0x7d7/0x8c0[EOL] kasan_report+0xb8/0xf0[EOL] ? __run_timer_base.part.0+0x7d7/0x8c0[EOL] __run_timer_base.part.0+0x7d7/0x8c0[EOL] ? __pfx___run_timer_base.part.0+0x10/0x10[EOL] ? __pfx_read_tsc+0x10/0x10[EOL] ? ktime_get+0x60/0x140[EOL] ? lapic_next_event+0x11/0x20[EOL] ? clockevents_program_event+0x1d4/0x2a0[EOL] run_timer_softirq+0xd1/0x190[EOL] handle_softirqs+0x16a/0x550[EOL] irq_exit_rcu+0xaf/0xe0[EOL] sysvec_apic_timer_interrupt+0x70/0x80[EOL] </IRQ>[EOL]...[EOL][EOL]Allocated by task 1:[EOL] kasan_save_stack+0x24/0x50[EOL] kasan_save_track+0x14/0x30[EOL] __kasan_kmalloc+0x7f/0x90[EOL] __kmalloc_noprof+0x1be/0x460[EOL] flexcop_device_kmalloc+0x54/0xe0[EOL] flexcop_pci_probe+0x1f/0x9d0[EOL] local_pci_probe+0xdc/0x190[EOL] pci_device_probe+0x2fe/0x470[EOL] really_probe+0x1ca/0x5c0[EOL] __driver_probe_device+0x248/0x310[EOL] driver_probe_device+0x44/0x120[EOL] __driver_attach+0xd2/0x310[EOL] bus_for_each_dev+0xed/0x170[EOL] bus_add_driver+0x208/0x500[EOL] driver_register+0x132/0x460[EOL] do_one_initcall+0x89/0x300[EOL] kernel_init_freeable+0x40d/0x720[EOL] kernel_init+0x1a/0x150[EOL] ret_from_fork+0x10c/0x1a0[EOL] ret_from_fork_asm+0x1a/0x30[EOL][EOL]Freed by task 135:[EOL] kasan_save_stack+0x24/0x50[EOL] kasan_save_track+0x14/0x30[EOL] kasan_save_free_info+0x3a/0x60[EOL] __kasan_slab_free+0x3f/0x50[EOL] kfree+0x137/0x370[EOL] flexcop_device_kfree+0x32/0x50[EOL] pci_device_remove+0xa6/0x1d0[EOL] device_release_driver_internal+0xf8/0x210[EOL] pci_stop_bus_device+0x105/0x150[EOL] pci_stop_and_remove_bus_device_locked+0x15/0x30[EOL] remove_store+0xcc/0xe0[EOL] kernfs_fop_write_iter+0x2c3/0x440[EOL] vfs_write+0x871/0xd70[EOL] ksys_write+0xee/0x1c0[EOL] do_syscall_64+0xac/0x280[EOL] entry_SYSCALL_64_after_hwframe+0x77/0x7f[EOL]...[EOL][EOL]Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure[EOL]that the delayed work item is properly canceled and any executing delayed[EOL]work has finished before the device memory is deallocated.[EOL][EOL]This bug was initially identified through static analysis. To reproduce[EOL]and test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced[EOL]artificial delays within the flexcop_pci_irq_check_work() function to[EOL]increase the likelihood of triggering the bug.