7.8
CWE
416 362
Advisory Published
Updated

CVE-2023-1118: Use After Free

First published: Fri Feb 10 2023(Updated: )

A flaw in the Linux Kernel found. There are use-after-free vulnerabilities in drivers/media/rc/ene_ir.c of linux that allow attacker to crash linux kernel without any privilege by detaching rc device. When the rc device is detaching, function ene_remove() will be called. But the synchronizations in ene_remove() are bad. The situations that may lead to race conditions are shown below. Firstly, the rx receiver is disabled with ene_rx_disable() before rc_unregister_device() in ene_remove(), which means it can be enabled again if a process opens /dev/lirc0 between ene_rx_disable() and rc_unregister_device(). (cleanup routine) | (open routine) ene_remove() | ene_rx_disable(dev); | ene_open() | ene_rx_enable(dev); //re-enable! Secondly, the irqaction descriptor is freed by free_irq() before the rc device is unregistered, which means irqaction descriptor may be accessed again after it is deallocated. (free routine) | (use routine) ene_remove() | ene_rx_enable() free_irq(dev-&gt;irq, ...); //FREE | ene_rx_enable_hw() | ene_write_reg(..., dev-&gt;irq &lt;&lt; 1) //USE | Thirdly, the timer can call ene_tx_sample() that can write to the io ports, which means the io ports could be accessed again after they are deallocated by release_region(). (free routine) | (use routine) ene_remove() | ene_tx_sample() release_region(dev-&gt;hw_io, ...); //FREE | ene_write_reg() | outb(..., dev-&gt;hw_io + ENE_IO) //USE Fourthly, there is no function to cancel tx_sim_timer in ene_remove(), the timer handler ene_tx_irqsim() could race with ene_remove(). As a result, the UAF bugs could happen, the process is shown below. (free routine) | (use routine) | mod_timer(&amp;dev-&gt;tx_sim_timer, ..) ene_remove() | (wait a time) kfree(dev) //FREE | ene_tx_irqsim() | dev-&gt;hw_lock //USE | ene_tx_sample(dev) //USE ------------------------------------------ Reference: <a href="https://github.com/torvalds/linux/commit/29b0589a865b6f66d141d79b2dd1373e4e50fe17">https://github.com/torvalds/linux/commit/29b0589a865b6f66d141d79b2dd1373e4e50fe17</a>

Credit: secalert@redhat.com secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
Linux Linux kernel>=2.6.36<4.14.308
Linux Linux kernel>=4.15<4.19.276
Linux Linux kernel>=4.20<5.4.235
Linux Linux kernel>=5.5<5.10.173
Linux Linux kernel>=5.11<5.15.99
Linux Linux kernel>=5.16<6.1.16
Linux Linux kernel>=6.2<6.2.3
IBM QRadar SIEM<=7.5 - 7.5.0 UP8 IF01
redhat/Linux kernel<6.3
6.3
ubuntu/linux<4.15.0-211.222
4.15.0-211.222
ubuntu/linux<5.4.0-149.166
5.4.0-149.166
ubuntu/linux<5.15.0-72.79
5.15.0-72.79
ubuntu/linux<5.19.0-42.43
5.19.0-42.43
ubuntu/linux<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux<4.4.0-239.273
4.4.0-239.273
ubuntu/linux-aws<4.15.0-1156.169
4.15.0-1156.169
ubuntu/linux-aws<5.4.0-1102.110
5.4.0-1102.110
ubuntu/linux-aws<5.15.0-1036.40
5.15.0-1036.40
ubuntu/linux-aws<5.19.0-1025.26
5.19.0-1025.26
ubuntu/linux-aws<6.2.0-1003.3
6.2.0-1003.3
ubuntu/linux-aws<4.4.0-1117.123
4.4.0-1117.123
ubuntu/linux-aws<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-aws<4.4.0-1155.170
4.4.0-1155.170
ubuntu/linux-aws-5.0<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-aws-5.15<5.15.0-1036.40~20.04.1
5.15.0-1036.40~20.04.1
ubuntu/linux-aws-5.15<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-aws-5.4<5.4.0-1103.111~18.04.1
5.4.0-1103.111~18.04.1
ubuntu/linux-aws-5.4<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-aws-6.5<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-aws-fips<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-aws-hwe<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-aws-hwe<4.15.0-1156.169~16.04.1
4.15.0-1156.169~16.04.1
ubuntu/linux-azure<5.4.0-1108.114
5.4.0-1108.114
ubuntu/linux-azure<5.15.0-1038.45
5.15.0-1038.45
ubuntu/linux-azure<5.19.0-1026.29
5.19.0-1026.29
ubuntu/linux-azure<6.2.0-1003.3
6.2.0-1003.3
ubuntu/linux-azure<4.15.0-1165.180~14.04.1
4.15.0-1165.180~14.04.1
ubuntu/linux-azure<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-azure<4.15.0-1165.180~16.04.1
4.15.0-1165.180~16.04.1
ubuntu/linux-azure-4.15<4.15.0-1165.180
4.15.0-1165.180
ubuntu/linux-azure-4.15<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-azure-5.15<5.15.0-1038.45~20.04.1
5.15.0-1038.45~20.04.1
ubuntu/linux-azure-5.15<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-azure-5.19<5.19.0-1026.29~22.04.1
5.19.0-1026.29~22.04.1
ubuntu/linux-azure-5.4<5.4.0-1108.114~18.04.1
5.4.0-1108.114~18.04.1
ubuntu/linux-azure-5.4<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-azure-6.5<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-azure-edge<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-azure-fde<5.4.0-1108.114
5.4.0-1108.114
ubuntu/linux-azure-fde<5.15.0-1038.45.1
5.15.0-1038.45.1
ubuntu/linux-azure-fde<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-azure-fde-5.15<5.15.0-1038.45~20.04.1.1
5.15.0-1038.45~20.04.1.1
ubuntu/linux-azure-fde-5.15<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-azure-fde-5.19<5.19.0-1026.29~22.04.1
5.19.0-1026.29~22.04.1
ubuntu/linux-azure-fde-5.19<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-azure-fips<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-bluefield<5.4.0-1064.70
5.4.0-1064.70
ubuntu/linux-bluefield<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-dell300x<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-fips<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-gcp<5.4.0-1105.114
5.4.0-1105.114
ubuntu/linux-gcp<5.15.0-1034.42
5.15.0-1034.42
ubuntu/linux-gcp<5.19.0-1024.26
5.19.0-1024.26
ubuntu/linux-gcp<6.2.0-1005.5
6.2.0-1005.5
ubuntu/linux-gcp<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-gcp<4.15.0-1150.166~16.04.1
4.15.0-1150.166~16.04.1
ubuntu/linux-gcp-4.15<4.15.0-1150.166
4.15.0-1150.166
ubuntu/linux-gcp-4.15<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-gcp-5.15<5.15.0-1034.42~20.04.1
5.15.0-1034.42~20.04.1
ubuntu/linux-gcp-5.15<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-gcp-5.4<5.4.0-1105.114~18.04.1
5.4.0-1105.114~18.04.1
ubuntu/linux-gcp-5.4<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-gcp-6.5<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-gcp-fips<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-gke<5.4.0-1099.106
5.4.0-1099.106
ubuntu/linux-gke<5.15.0-1033.38
5.15.0-1033.38
ubuntu/linux-gke<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-gke-4.15<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-gke-5.0<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-gke-5.15<5.15.0-1033.38~20.04.1
5.15.0-1033.38~20.04.1
ubuntu/linux-gke-5.15<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-gke-5.4<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-gkeop<5.4.0-1069.73
5.4.0-1069.73
ubuntu/linux-gkeop<5.15.0-1020.25
5.15.0-1020.25
ubuntu/linux-gkeop<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-gkeop-5.15<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-gkeop-5.4<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-hwe<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-hwe<4.15.0-211.222~16.04.1
4.15.0-211.222~16.04.1
ubuntu/linux-hwe-5.15<5.15.0-72.79~20.04.1
5.15.0-72.79~20.04.1
ubuntu/linux-hwe-5.15<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-hwe-5.19<5.19.0-42.43~22.04.1
5.19.0-42.43~22.04.1
ubuntu/linux-hwe-5.4<5.4.0-149.166~18.04.1
5.4.0-149.166~18.04.1
ubuntu/linux-hwe-5.4<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-hwe-6.5<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-hwe-edge<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-ibm<5.4.0-1049.54
5.4.0-1049.54
ubuntu/linux-ibm<5.15.0-1030.33
5.15.0-1030.33
ubuntu/linux-ibm<5.19.0-1022.24
5.19.0-1022.24
ubuntu/linux-ibm<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-ibm-5.15<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-ibm-5.4<5.4.0-1049.54~18.04.1
5.4.0-1049.54~18.04.1
ubuntu/linux-ibm-5.4<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-intel<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-intel-5.13<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-intel-iotg<5.15.0-1030.35
5.15.0-1030.35
ubuntu/linux-intel-iotg<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-intel-iotg-5.15<5.15.0-1030.35~20.04.1
5.15.0-1030.35~20.04.1
ubuntu/linux-intel-iotg-5.15<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-iot<5.4.0-1017.18
5.4.0-1017.18
ubuntu/linux-iot<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-kvm<4.15.0-1140.145
4.15.0-1140.145
ubuntu/linux-kvm<5.4.0-1091.97
5.4.0-1091.97
ubuntu/linux-kvm<5.15.0-1033.38
5.15.0-1033.38
ubuntu/linux-kvm<5.19.0-1023.24
5.19.0-1023.24
ubuntu/linux-kvm<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-kvm<4.4.0-1118.128
4.4.0-1118.128
ubuntu/linux-laptop<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-lowlatency<5.15.0-72.79
5.15.0-72.79
ubuntu/linux-lowlatency<5.19.0-1024.25
5.19.0-1024.25
ubuntu/linux-lowlatency<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-lowlatency-hwe-5.15<5.15.0-72.79~20.04.1
5.15.0-72.79~20.04.1
ubuntu/linux-lowlatency-hwe-5.15<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-lowlatency-hwe-5.19<5.19.0-1024.25~22.04.1
5.19.0-1024.25~22.04.1
ubuntu/linux-lowlatency-hwe-5.19<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-lowlatency-hwe-6.5<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-lts-xenial<4.4.0-239.273~14.04.1
4.4.0-239.273~14.04.1
ubuntu/linux-lts-xenial<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-nvidia<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-nvidia-6.5<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-oem<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-oem-5.10<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-oem-5.14<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-oem-5.17<5.17.0-1030.31
5.17.0-1030.31
ubuntu/linux-oem-5.17<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-oem-5.6<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-oem-6.0<6.0.0-1014.14
6.0.0-1014.14
ubuntu/linux-oem-6.0<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-oem-6.1<6.1.0-1009.9
6.1.0-1009.9
ubuntu/linux-oem-6.1<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-oem-6.5<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-oem-6.8<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-oem-osp1<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-oracle<4.15.0-1119.130
4.15.0-1119.130
ubuntu/linux-oracle<5.4.0-1101.110
5.4.0-1101.110
ubuntu/linux-oracle<5.15.0-1035.41
5.15.0-1035.41
ubuntu/linux-oracle<5.19.0-1023.26
5.19.0-1023.26
ubuntu/linux-oracle<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-oracle<4.15.0-1119.130~16.04.1
4.15.0-1119.130~16.04.1
ubuntu/linux-oracle-5.0<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-oracle-5.13<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-oracle-5.15<5.15.0-1035.41~20.04.1
5.15.0-1035.41~20.04.1
ubuntu/linux-oracle-5.15<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-oracle-5.4<5.4.0-1101.110~18.04.1
5.4.0-1101.110~18.04.1
ubuntu/linux-oracle-5.4<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-oracle-6.5<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-raspi<5.4.0-1085.96
5.4.0-1085.96
ubuntu/linux-raspi<5.15.0-1029.31
5.15.0-1029.31
ubuntu/linux-raspi<5.19.0-1018.25
5.19.0-1018.25
ubuntu/linux-raspi<6.2.0-1004.5
6.2.0-1004.5
ubuntu/linux-raspi<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-raspi-5.4<5.4.0-1085.96~18.04.1
5.4.0-1085.96~18.04.1
ubuntu/linux-raspi-5.4<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-raspi2<4.15.0-1132.140
4.15.0-1132.140
ubuntu/linux-raspi2<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-riscv<5.19.0-1018.19
5.19.0-1018.19
ubuntu/linux-riscv<6.2.0-19.19.1
6.2.0-19.19.1
ubuntu/linux-riscv<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-riscv-5.15<5.15.0-1033.37~20.04.1
5.15.0-1033.37~20.04.1
ubuntu/linux-riscv-5.15<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-riscv-6.5<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-snapdragon<4.15.0-1150.160
4.15.0-1150.160
ubuntu/linux-snapdragon<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-starfive<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-starfive-6.5<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
ubuntu/linux-xilinx-zynqmp<5.4.0-1024.28
5.4.0-1024.28
ubuntu/linux-xilinx-zynqmp<6.3~<5.4.235<5.15.99
6.3~
5.4.235
5.15.99
debian/linux
5.10.218-1
6.1.94-1
6.1.90-1
6.9.8-1
6.9.9-1

Remedy

To mitigate this issue, prevent module ene_ir from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Reference Links

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203