In the Linux kernel, the following vulnerability has been...
High severity
Unreviewed
Published
Feb 20, 2024
to the GitHub Advisory Database
•
Updated Dec 27, 2024
Description
Published by the National Vulnerability Database
Feb 20, 2024
Published to the GitHub Advisory Database
Feb 20, 2024
Last updated
Dec 27, 2024
In the Linux kernel, the following vulnerability has been resolved:
uio: Fix use-after-free in uio_open
core-1 core-2
uio_unregister_device uio_open
idev = idr_find()
device_unregister(&idev->dev)
put_device(&idev->dev)
uio_device_release
get_device(&idev->dev)
kfree(idev)
uio_free_minor(minor)
uio_release
put_device(&idev->dev)
kfree(idev)
In the core-1 uio_unregister_device(), the device_unregister will kfree
idev when the idev->dev kobject ref is 1. But after core-1
device_unregister, put_device and before doing kfree, the core-2 may
get_device. Then:
freed.
To address this issue, we can get idev atomic & inc idev reference with
minor_lock.
References