A vulnerability in the Linux kernel, specifically in the media: pvrusb2 module, has been resolved. The issue related to Use After Free (UAF) problem in the pvr2_context_set_notify function as reported by Syzbot.

For those interested in understanding the extent of this vulnerability, below is the code snippet documenting the bug report from Syzbot:

BUG: KASAN: slab-use-after-free in pvr2_context_set_notify+x2c4/x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35
Read of size 4 at addr ffff888113aebd8 by task kworker/1:1/26

CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.-rc1-syzkaller-00046-gf1a27f081c1f #
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
...
kasan_save_stack+x33/x50 mm/kasan/common.c:47
kasan_save_track+x14/x30 mm/kasan/common.c:68
...
pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline]
pvr2_context_thread_func+x69d/x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158

Upon analysis, it was discovered that Task A set disconnect_flag = !, which led to Task B's condition being met and the subsequent release of mp. This situation triggered the use after free error.

The recommended fix for this vulnerability is to place the disconnect_flag assignment operation after all code in pvr2_context_disconnect() to avoid this issue. The changes in the code make it safer to use the media: pvrusb2 module in the Linux kernel.

1. Syzbot bug report
2. LWN.net article

With the proposed fix, the Linux kernel media: pvrusb2 module is now more secure, and users can continue to safely utilize it. If you are currently using a version of the Linux kernel with this vulnerability, it is highly advised to apply the recommended patch or update to a newer, secure version of the kernel as soon as possible.

Timeline

Published on: 04/17/2024 11:15:09 UTC
Last modified on: 08/08/2024 19:35:13 UTC