1.4 KiB
CVE-2023-52439
Description
In the Linux kernel, the following vulnerability has been resolved:uio: Fix use-after-free in uio_opencore-1 core-2-------------------------------------------------------uio_unregister_device uio_open idev = idr_find()device_unregister(&idev->dev)put_device(&idev->dev)uio_device_release get_device(&idev->dev)kfree(idev)uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev)-------------------------------------------------------In the core-1 uio_unregister_device(), the device_unregister will kfreeidev when the idev->dev kobject ref is 1. But after core-1device_unregister, put_device and before doing kfree, the core-2 mayget_device. Then:1. After core-1 kfree idev, the core-2 will do use-after-free for idev.2. When core-2 do uio_release and put_device, the idev will be double freed.To address this issue, we can get idev atomic & inc idev reference withminor_lock.
POC
Reference
No PoCs from references.