CVE-2023-1118: Use After Free

First published: Fri Feb 10 2023(Updated: )

A flaw in the Linux Kernel found. There are use-after-free vulnerabilities in drivers/media/rc/ene_ir.c of linux that allow attacker to crash linux kernel without any privilege by detaching rc device. When the rc device is detaching, function ene_remove() will be called. But the synchronizations in ene_remove() are bad. The situations that may lead to race conditions are shown below. Firstly, the rx receiver is disabled with ene_rx_disable() before rc_unregister_device() in ene_remove(), which means it can be enabled again if a process opens /dev/lirc0 between ene_rx_disable() and rc_unregister_device(). (cleanup routine) | (open routine) ene_remove() | ene_rx_disable(dev); | ene_open() | ene_rx_enable(dev); //re-enable! Secondly, the irqaction descriptor is freed by free_irq() before the rc device is unregistered, which means irqaction descriptor may be accessed again after it is deallocated. (free routine) | (use routine) ene_remove() | ene_rx_enable() free_irq(dev-&gt;irq, ...); //FREE | ene_rx_enable_hw() | ene_write_reg(..., dev-&gt;irq &lt;&lt; 1) //USE | Thirdly, the timer can call ene_tx_sample() that can write to the io ports, which means the io ports could be accessed again after they are deallocated by release_region(). (free routine) | (use routine) ene_remove() | ene_tx_sample() release_region(dev-&gt;hw_io, ...); //FREE | ene_write_reg() | outb(..., dev-&gt;hw_io + ENE_IO) //USE Fourthly, there is no function to cancel tx_sim_timer in ene_remove(), the timer handler ene_tx_irqsim() could race with ene_remove(). As a result, the UAF bugs could happen, the process is shown below. (free routine) | (use routine) | mod_timer(&amp;dev-&gt;tx_sim_timer, ..) ene_remove() | (wait a time) kfree(dev) //FREE | ene_tx_irqsim() | dev-&gt;hw_lock //USE | ene_tx_sample(dev) //USE ------------------------------------------ Reference: <a href="https://github.com/torvalds/linux/commit/29b0589a865b6f66d141d79b2dd1373e4e50fe17">https://github.com/torvalds/linux/commit/29b0589a865b6f66d141d79b2dd1373e4e50fe17</a>

Credit: secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-cve
• agent/first-publish-date
• agent/type
• collector/launchpad-cve
• source/Launchpad
• agent/weakness
• agent/severity
• collector/mitre-cve
• source/MITRE
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2023-1118
• agent/software-canonical-lookup
• agent/remedy
• agent/last-modified-date
• agent/trending
• agent/source
• agent/references
• agent/author
• agent/description
• agent/event
• collector/nvd-cve
• source/NVD
• agent/software-canonical-lookup-request
• collector/nvd-index
• collector/ibm-support
• source/IBM
• agent/softwarecombine
• agent/tags
• collector/usn-cve
• source/Ubuntu
• collector/security-tracker-debian
• source/Debian
• package-manager/redhat
• vendor/linux
• canonical/linux kernel
• version/linux kernel/2.6.36
• version/linux kernel/4.15
• version/linux kernel/4.20
• version/linux kernel/5.5
• version/linux kernel/5.11
• version/linux kernel/5.16
• version/linux kernel/6.2
• vendor/ibm
• canonical/ibm security verify governance - identity manager
• version/ibm security verify governance - identity manager/isvg 10.0.2
• package-manager/debian