Re: [PATCH] Input: sunkbd - fix UAF in sunkbd_reinit() | linux-input

Re: [PATCH] Input: sunkbd - fix UAF in sunkbd_reinit()

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Date: 2020-11-17 20:11:00
Also in: lkml

Hi Yang,

On Tue, Nov 17, 2020 at 09:27:51PM +0800, Yang Yingliang wrote:

quoted hunk ↗ jump to hunk

After sunkbd->tq is added to workqueue, before scheduled work finish, sunkbd is
freed by sunkbd_disconnect(), when sunkbd is used in sunkbd_reinit(), it causes
a UAF. Fix this by calling flush_scheduled_work() before free sunkbd.

This fixes CVE-2020-25669.

Signed-off-by: Yang Yingliang <redacted>
---
 drivers/input/keyboard/sunkbd.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/input/keyboard/sunkbd.c b/drivers/input/keyboard/sunkbd.c
index 27126e621eb6..b6222896acdf 100644
--- a/drivers/input/keyboard/sunkbd.c
+++ b/drivers/input/keyboard/sunkbd.c

@@ -316,6 +316,7 @@ static void sunkbd_disconnect(struct serio *serio)
 {
 	struct sunkbd *sunkbd = serio_get_drvdata(serio);
 
+	flush_scheduled_work();

This is unfortunately racy as we may get interrupt and reschedule the
work again before we get to disabling the port.

It is properly fixed by 77e70d351db7de07a46ac49b87a6c3c7a60fca7e.

 	sunkbd_enable(sunkbd, false);
 	input_unregister_device(sunkbd->dev);
 	serio_close(serio);
-- 
2.17.1

Thanks.

-- 
Dmitry

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help