From: Lee Jones <lee@kernel.org>
To: Takashi Iwai <tiwai@suse.de>
Cc: Hyunwoo Kim <imv4bel@gmail.com>,
mchehab@kernel.org, kernel@tuxforce.de,
linux-media@vger.kernel.org, linux-usb@vger.kernel.org,
cai.huoqing@linux.dev
Subject: Re: [PATCH v3 0/4] Fix multiple race condition vulnerabilities in dvb-core and device driver
Date: Tue, 28 Feb 2023 11:32:31 +0000 [thread overview]
Message-ID: <Y/3mT9uSsuviT+sa@google.com> (raw)
In-Reply-To: <Y/YXbNgBhhWhfjwS@google.com>
On Wed, 22 Feb 2023, Lee Jones wrote:
> On Tue, 10 Jan 2023, Takashi Iwai wrote:
>
> > On Thu, 17 Nov 2022 05:59:21 +0100,
> > Hyunwoo Kim wrote:
> > >
> > > Dear,
> > >
> > > This patch set is a security patch for various race condition vulnerabilities that occur
> > > in 'dvb-core' and 'ttusb_dec', a dvb-based device driver.
> > >
> > >
> > > # 1. media: dvb-core: Fix use-after-free due to race condition occurring in dvb_frontend
> > > This is a security patch for a race condition that occurs in the dvb_frontend system of dvb-core.
> > >
> > > The race condition that occurs here will occur with _any_ device driver using dvb_frontend.
> > >
> > > The race conditions that occur in dvb_frontend are as follows
>
> [...]
>
> > > # 4. media: ttusb-dec: Fix memory leak in ttusb_dec_exit_dvb()
> > > This is a patch for a memory leak that occurs in the ttusb_dec_exit_dvb() function.
> > >
> > > Because ttusb_dec_exit_dvb() does not call dvb_frontend_detach(),
> > > several fe related structures are not kfree()d.
> > >
> > > Users can trigger a memory leak just by repeating connecting and disconnecting
> > > the ttusb_dec device.
> > >
> > >
> > > Finally, most of these patches are similar to this one, the security patch for
> > > CVE-2022-41218 that I reported:
> > > https://lore.kernel.org/linux-media/20221031100245.23702-1-tiwai@suse.de/
> > >
> > >
> > > Regards,
> > > Hyunwoo Kim
> >
> > Are those issues still seen with the latest 6.2-rc kernel?
> > I'm asking because there have been a few fixes in dvb-core to deal
> > with some UAFs.
> >
> > BTW, Mauro, the issues are tagged with several CVE's:
> > CVE-2022-45884, CVE-2022-45886, CVE-2022-45885, CVE-2022-45887.
>
> Was there an answer to this question?
>
> Rightly or wrongly this patch is still being touted as the fix for some
> reported CVEs [0].
>
> Is this patch still required or has it been superseded? If the later,
> which patch superseded it?
>
> Thanks.
>
> [0] https://nvd.nist.gov/vuln/detail/CVE-2022-45886
Have these issues been fixed already?
If not, is this patch set due to be merged or reviewed?
--
Lee Jones [李琼斯]
next prev parent reply other threads:[~2023-02-28 11:32 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-17 4:59 [PATCH v3 0/4] Fix multiple race condition vulnerabilities in dvb-core and device driver Hyunwoo Kim
2022-11-17 4:59 ` [PATCH v3 1/4] media: dvb-core: Fix use-after-free due to race condition occurring in dvb_frontend Hyunwoo Kim
2022-11-17 4:59 ` [PATCH v3 2/4] media: dvb-core: Fix use-after-free due to race condition occurring in dvb_net Hyunwoo Kim
2022-11-17 4:59 ` [PATCH v3 3/4] media: dvb-core: Fix use-after-free due to race condition occurring in dvb_register_device() Hyunwoo Kim
2022-11-17 4:59 ` [PATCH v3 4/4] media: ttusb-dec: Fix memory leak in ttusb_dec_exit_dvb() Hyunwoo Kim
2023-01-10 14:18 ` [PATCH v3 0/4] Fix multiple race condition vulnerabilities in dvb-core and device driver Takashi Iwai
2023-02-22 13:23 ` Lee Jones
2023-02-28 11:32 ` Lee Jones [this message]
2023-03-07 10:36 ` Lee Jones
2023-03-07 11:08 ` V4bel
2023-03-08 13:39 ` Lee Jones
2023-03-09 0:15 ` Mauro Carvalho Chehab
2023-03-09 17:17 ` Lee Jones
2023-05-13 18:09 ` Mauro Carvalho Chehab
2023-05-14 14:56 ` Mauro Carvalho Chehab
2023-03-07 12:41 ` Mauro Carvalho Chehab
[not found] ` <CADUEyCz=xuYjNQohgOi86vm4P4YyfO86AbM0cWdFrs1Y_6276g@mail.gmail.com>
2023-03-09 2:06 ` Hyunwoo Kim
2023-03-09 17:18 ` Lee Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y/3mT9uSsuviT+sa@google.com \
--to=lee@kernel.org \
--cc=cai.huoqing@linux.dev \
--cc=imv4bel@gmail.com \
--cc=kernel@tuxforce.de \
--cc=linux-media@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).