[PATCH] drivers: tty: vcc: Fix use-after-free in vcc_open()

From: Yoochan Lee <yoochan1026@gmail.com>
To: davem@davemloft.net
Cc: sparclinux@vger.kernel.org, linux-kernel@vger.kernel.org,
	Yoochan Lee <yoochan1026@gmail.com>
Subject: [PATCH] drivers: tty: vcc: Fix use-after-free in vcc_open()
Date: Mon,  2 Jan 2023 10:05:28 +0900	[thread overview]
Message-ID: <20230102010528.2868403-1-yoochan1026@gmail.com> (raw)

This bug assumes that the hacker can physically access the
target computer.

A race condition may occur if the user physically removes the
vcc device while calling open().

This is a race condition between vcc_open() function and
the vcc_remove() function, which may lead to Use-After-Free.

Therefore, add a refcount check to vcc_remove() function
to free the "vcc_port" structure after the device is close()d.

---------------CPU 0--------------------CPU 1-----------------
            vcc_open()        |        vcc_remove()
--------------------------------------------------------------
    port = vcc_get_ne(tty->   |
      index); — (1)           |
                              |   struct vcc_port *port =
                              |    dev_get_drvdata(&vdev->dev);
                              |   ...
                              |   kfree(port); — (2)
 vccdbgl(port->vio.lp); — (3) |

This type of race condition is similar with CVE-2022-44032,
CVE-2022-44033, and CVE-2022-44034.
---
 drivers/tty/vcc.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/drivers/tty/vcc.c b/drivers/tty/vcc.c
index 34ba6e54789a..31f274c4aa25 100644
--- a/drivers/tty/vcc.c
+++ b/drivers/tty/vcc.c
@@ -41,6 +41,8 @@ struct vcc_port {
 
 	struct timer_list rx_timer;
 	struct timer_list tx_timer;
+	struct vio_dev *vdev;
+	struct kref refcnt;
 };
 
 /* Microseconds that thread will delay waiting for a vcc port ref */
@@ -104,6 +106,7 @@ static const struct ktermios vcc_tty_termios = {
 	.c_ospeed = 38400
 };
 
+static void vcc_delete(struct kref *kref);
 /**
  * vcc_table_add() - Add VCC port to the VCC table
  * @port: pointer to the VCC port
@@ -586,6 +589,8 @@ static int vcc_probe(struct vio_dev *vdev, const struct vio_device_id *id)
 		goto free_port;
 
 	port->vio.debug = vcc_dbg_vio;
+	port->vdev = vdev;
+	kref_init(&port->refcnt);
 	vcc_ldc_cfg.debug = vcc_dbg_ldc;
 
 	rv = vio_ldc_alloc(&port->vio, &vcc_ldc_cfg, port);
@@ -673,6 +678,14 @@ static void vcc_remove(struct vio_dev *vdev)
 {
 	struct vcc_port *port = dev_get_drvdata(&vdev->dev);
 
+	kref_put(&port->refcnt, vcc_delete);
+}
+
+static void vcc_delete(struct kref *kref)
+{
+	struct vcc_port *port = container_of(kref, struct vcc_port, refcnt);
+	struct viod_dev *vdev = port->vdev;
+
 	del_timer_sync(&port->rx_timer);
 	del_timer_sync(&port->tx_timer);
 
@@ -752,12 +765,15 @@ static int vcc_open(struct tty_struct *tty, struct file *vcc_file)
 		pr_err("VCC: open: TTY ops not defined\n");
 		return -ENXIO;
 	}
+	kref_get(&port->refcnt);
 
 	return tty_port_open(tty->port, tty, vcc_file);
 }
 
 static void vcc_close(struct tty_struct *tty, struct file *vcc_file)
 {
+	struct vcc_port *port = vcc_get_ne(tty->index);
+
 	if (unlikely(tty->count > 1))
 		return;
 
@@ -767,6 +783,8 @@ static void vcc_close(struct tty_struct *tty, struct file *vcc_file)
 	}
 
 	tty_port_close(tty->port, tty, vcc_file);
+
+	kref_put(&port->refcnt, vcc_delete);
 }
 
 static void vcc_ldc_hup(struct vcc_port *port)
-- 
2.39.0

