CVE CyberSecurity Database News

CVE-2020-36785 - Addressing the Linux Kernel Vulnerability: Use After Free Exploit in AtomISP Alloc_CSS_STAT_BUFs()

Poster -

The Linux kernel is the core component of the Linux operating system, responsible for managing hardware, running user programs, and maintaining the overall stability and performance of the system. Unfortunately, like other software, the Linux kernel is not immune to security vulnerabilities. One such vulnerability recently discovered is CVE-2020-36785, which pertains to an issue in the Linux Kernel's media subsystem that could lead to use-after-free (UAF) exploits.

What is the Vulnerability?
The vulnerability exists in the media subsystem's atomisp component, found in the atomisp_alloc_css_stat_bufs() function. The specific issue occurs when "s3a_buf" is freed along with all other items on the "asd->s3a_stats" list. This can cause a double free and a use-after-free scenario. In a UAF exploit, an attacker may potentially gain unauthorized access or crash a vulnerable system by exploiting memory that has been freed but not yet reallocated.

Here is a code snippet highlighting the atomisp_alloc_css_stat_bufs() function

int atomisp_alloc_css_stat_bufs(struct atomisp_device *isp)
{
    struct atomisp_sub_device *asd = &isp->asd;
    ....
    list_for_each_entry(s3a_buf, &asd->s3a_stats, list) {
        if (s3a_buf->index == handle && !s3a_buf->num_users) {
            ...
            list_add_tail(&s3a_buf->list, &asd_tmp->s3a_stats);
            return ;
        }
    }
    ...
    s3a_buf = kzalloc(stat_buf_size, GFP_KERNEL);
    ...
}

In the above code, the 'list_for_each_entry' loop iterates through the 'asd->s3a_stats' list and tries to find an existing buffer with the given index and zero users. If the search is successful, it adds the found buffer to the 'asd_tmp->s3a_stats' list and returns. If not, it allocates memory for a new buffer using kzalloc(). The flaw occurs when the kernel simultaneously frees 's3a_buf' along with all the other items on the 'asd->s3a_stats' list, thereby causing the use-after-free vulnerability.

How Was This Vulnerability Addressed?
The Linux Kernel community has already patched this vulnerability in the kernel codebase. You can find the original git commit that resolves this issue here: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=eba6ea284d62b8e773694070ec935a8daa1433e1

This commit involves fixing the atomisp_alloc_css_stat_bufs() function to avoid the problematic use-after-free behavior, ensuring that individual buffers are properly managed and are not subject to potential memory exploits.

Conclusion

CVE-2020-36785 highlights the importance of staying aware of security vulnerabilities in the Linux kernel and other core components of our systems. Regularly updating your system and applying security patches protects you and your organization from potential threats. Stay vigilant, and ensure that you are using the latest available kernel to minimize exposure to known vulnerabilities.

Timeline

Published on: 02/28/2024 09:15:36 UTC
Last modified on: 05/29/2024 04:58:30 UTC