From: Mauro Carvalho Chehab <mchehab@kernel.org>
To: Lee Jones <lee@kernel.org>
Cc: Takashi Iwai <tiwai@suse.de>, Hyunwoo Kim <imv4bel@gmail.com>,
kernel@tuxforce.de, linux-media@vger.kernel.org,
linux-usb@vger.kernel.org, cai.huoqing@linux.dev
Subject: Re: [PATCH v3 0/4] Fix multiple race condition vulnerabilities in dvb-core and device driver
Date: Thu, 9 Mar 2023 01:15:25 +0100 [thread overview]
Message-ID: <20230309011525.49ac3399@coco.lan> (raw)
In-Reply-To: <20230307103659.GA347928@google.com>
Em Tue, 7 Mar 2023 10:36:59 +0000
Lee Jones <lee@kernel.org> escreveu:
> On Tue, 28 Feb 2023, Lee Jones wrote:
>
> > On Wed, 22 Feb 2023, Lee Jones wrote:
> >
> > > On Tue, 10 Jan 2023, Takashi Iwai wrote:
> > >
> > > > On Thu, 17 Nov 2022 05:59:21 +0100,
> > > > Hyunwoo Kim wrote:
> > > > >
> > > > > Dear,
> > > > >
> > > > > This patch set is a security patch for various race condition vulnerabilities that occur
> > > > > in 'dvb-core' and 'ttusb_dec', a dvb-based device driver.
> > > > >
> > > > >
> > > > > # 1. media: dvb-core: Fix use-after-free due to race condition occurring in dvb_frontend
> > > > > This is a security patch for a race condition that occurs in the dvb_frontend system of dvb-core.
> > > > >
> > > > > The race condition that occurs here will occur with _any_ device driver using dvb_frontend.
> > > > >
> > > > > The race conditions that occur in dvb_frontend are as follows
> > >
> > > [...]
> > >
> > > > > # 4. media: ttusb-dec: Fix memory leak in ttusb_dec_exit_dvb()
> > > > > This is a patch for a memory leak that occurs in the ttusb_dec_exit_dvb() function.
> > > > >
> > > > > Because ttusb_dec_exit_dvb() does not call dvb_frontend_detach(),
> > > > > several fe related structures are not kfree()d.
> > > > >
> > > > > Users can trigger a memory leak just by repeating connecting and disconnecting
> > > > > the ttusb_dec device.
> > > > >
> > > > >
> > > > > Finally, most of these patches are similar to this one, the security patch for
> > > > > CVE-2022-41218 that I reported:
> > > > > https://lore.kernel.org/linux-media/20221031100245.23702-1-tiwai@suse.de/
> > > > >
> > > > >
> > > > > Regards,
> > > > > Hyunwoo Kim
> > > >
> > > > Are those issues still seen with the latest 6.2-rc kernel?
> > > > I'm asking because there have been a few fixes in dvb-core to deal
> > > > with some UAFs.
> > > >
> > > > BTW, Mauro, the issues are tagged with several CVE's:
> > > > CVE-2022-45884, CVE-2022-45886, CVE-2022-45885, CVE-2022-45887.
> > >
> > > Was there an answer to this question?
> > >
> > > Rightly or wrongly this patch is still being touted as the fix for some
> > > reported CVEs [0].
> > >
> > > Is this patch still required or has it been superseded? If the later,
> > > which patch superseded it?
> > >
> > > Thanks.
> > >
> > > [0] https://nvd.nist.gov/vuln/detail/CVE-2022-45886
> >
> > Have these issues been fixed already?
> >
> > If not, is this patch set due to be merged or reviewed?
>
> Still nothing heard from the author or any maintainer.
We're currently lacking a sub-maintainer for dvb. Changes at the
DVB mutexes have been problematic and require tests on some
devices, specially on those with multiple frontends.
I'll try to find some time to review and test those patches.
>
> I'd take this as a hint if I had any social skills!
>
> Please could someone provide me with a status report on these patches?
>
> They appear to have CVEs associated with them. Have they been fixed?
>
> --
> Lee Jones [李琼斯]
Thanks,
Mauro
next prev parent reply other threads:[~2023-03-09 0:15 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-17 4:59 [PATCH v3 0/4] Fix multiple race condition vulnerabilities in dvb-core and device driver Hyunwoo Kim
2022-11-17 4:59 ` [PATCH v3 1/4] media: dvb-core: Fix use-after-free due to race condition occurring in dvb_frontend Hyunwoo Kim
2022-11-17 4:59 ` [PATCH v3 2/4] media: dvb-core: Fix use-after-free due to race condition occurring in dvb_net Hyunwoo Kim
2022-11-17 4:59 ` [PATCH v3 3/4] media: dvb-core: Fix use-after-free due to race condition occurring in dvb_register_device() Hyunwoo Kim
2022-11-17 4:59 ` [PATCH v3 4/4] media: ttusb-dec: Fix memory leak in ttusb_dec_exit_dvb() Hyunwoo Kim
2023-01-10 14:18 ` [PATCH v3 0/4] Fix multiple race condition vulnerabilities in dvb-core and device driver Takashi Iwai
2023-02-22 13:23 ` Lee Jones
2023-02-28 11:32 ` Lee Jones
2023-03-07 10:36 ` Lee Jones
2023-03-07 11:08 ` V4bel
2023-03-08 13:39 ` Lee Jones
2023-03-09 0:15 ` Mauro Carvalho Chehab [this message]
2023-03-09 17:17 ` Lee Jones
2023-05-13 18:09 ` Mauro Carvalho Chehab
2023-05-14 14:56 ` Mauro Carvalho Chehab
2023-03-07 12:41 ` Mauro Carvalho Chehab
[not found] ` <CADUEyCz=xuYjNQohgOi86vm4P4YyfO86AbM0cWdFrs1Y_6276g@mail.gmail.com>
2023-03-09 2:06 ` Hyunwoo Kim
2023-03-09 17:18 ` Lee Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230309011525.49ac3399@coco.lan \
--to=mchehab@kernel.org \
--cc=cai.huoqing@linux.dev \
--cc=imv4bel@gmail.com \
--cc=kernel@tuxforce.de \
--cc=lee@kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).