The application was vulnerable to an authenticated information disclosure, allowing administrators to view unsalted user passwords, which could lead to the compromise of plaintext passwords via offline attacks.

**CVE-2022-40295**

Discovered by Edward Prior on behalf of The Missing Link Security

**Vulnerability Details**

The application was vulnerable to an Authenticated Information Disclosure, allowing administrators to view unsalted user passwords, which could lead to the compromise of plaintext passwords via offline attacks.

**Affected Versions**

Discovered in: 19.0

**Fixed Versions**

Fixed In: Won’t fix.

Latest News

Recent data breaches and what your business can learn from them

Clearing up the complex world of penetration testing

How intelligent automation can help address ESG reporting challenges

See All News

CVE-2022-40295: Authenticated sensitive information disclosure in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.

The application was identified to have an CSV injection in data export functionality, allowing for malicious code to be embedded within export data and then triggered in exported data viewers.

**CVE-2022-40294**

Discovered by Edward Prior on behalf of The Missing Link Security

**Vulnerability Details**

The application was identified to have an Authenticated Incubated Vulnerability in data export functionality, allowing for malicious code to be embedded within export data and then triggered in exported data viewers.

**Affected Versions**

Discovered in: 19.0

**Fixed Versions**

Fixed In: Won’t fix.

Latest News

Recent data breaches and what your business can learn from them

Clearing up the complex world of penetration testing

How intelligent automation can help address ESG reporting challenges

See All News

CVE-2022-40294: Authenticated incubated vulnerability in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.

Multiple instances of XSS (stored and reflected) was found in the application. For example, features such as student assessment submission, file upload, news, ePortfolio and calendar event creation were found to be vulnerable to cross-site scripting.

**CVE-2022-39020**

Discovered by Nelson Fernandes on behalf of The Missing Link Security

**Vulnerability Details**

Multiple instances of XSS (stored and reflected) was found in the application. For example, features such as student assessment submission, file upload, news, ePortfolio and calendar event creation were found to be vulnerable to cross-site scripting.

**Affected Versions**

Discovered in: 21.0.2

**Fixed Versions**

Fixed in: 21.0.3

Latest News

Recent data breaches and what your business can learn from them

Clearing up the complex world of penetration testing

How intelligent automation can help address ESG reporting challenges

See All News

CVE-2022-39020: Cross-site scripting in Schoolbox version 21.0.2, by Schoolbox Pty Ltd.

On-chip solutions aim to prevent breaches by separating the computing element and keeping data in the secure vault at all times.

Top chip makers Nvidia, Intel, ARM, and AMD are providing the hardware hooks for an emerging security concept called confidential computing, which provides layers of trust through hardware and software so customers can be confident that their data is secure.

Chip makers are adding protective vaults and encryption layers to secure data when it is stored, in transit, or being processed. The goal is to prevent hackers from launching hardware attacks to steal data.

The chip offerings are trickling down to cloud providers, with Microsoft (Azure) and Google (Cloud) offering security-focused virtual machines in which data in secure vaults can be unlocked by only authorized parties. Attestation verifies the source and integrity of the program entering the secure vault to access the data. Once authorized, the processing happens inside the vault, and the code doesn't leave the secure vault.

Confidential computing is not a part of everyday computing yet, but it may become necessary to protect sensitive applications and data from sophisticated attacks, says Jim McGregor, principal analyst at Tirias Research.

The chip makers are focusing on hardware protections because "software is easy to hack," McGregor says.

**Nvidia's Morpheus Uses AI to Analyze Behavior**

There are multiple dimensions to confidential computing. On-chip confidential computing aims to prevent breaches like the 2018 Meltdown and Spectre vulnerabilities by separating the computing element and keeping data in the secure vault at all times.

"Everybody wants to continue to reduce the attack surface of data," says Justin Boitano, vice president and general manager of Nvidia's enterprise and edge computing operations. "Up to this point, it is obviously encrypted in transit and at rest. Confidential computing solves the encrypted in-use at the infrastructure level."

Nvidia is taking a divergent approach to confidential computing with Morpheus, which uses artificial intelligence (AI) to keep computer systems secure. For example, Morpheus identifies suspicious user behavior by using AI techniques to inspect network packets for sensitive data.

"Security analysts can go and fix the security policies before it becomes a problem," Boitano says. "From there, we also realize the big challenges — you have to kind of assume that people are already in your network, so you have also got to look at the behavior of users and machines on the network."

Nvidia is also using Morpheus to establish security priorities for analysts tracking system threats. The AI system breaks down login information to identify abnormal user behavior on a network and machines that may have been compromised by phishing, social engineering, or other techniques. That analysis helps the company's security team prioritize their actions.

"You're trying to look at everything and then use AI to determine what you need to keep and act on versus what might just be noise that you can drop," Boitano says.

**Intel Rolls Out Project Amber**

Confidential computing will also help enterprises build a new class of applications where third-party data sets can mingle with proprietary data sets in a secure area to create better learning models, says Anil Rao, vice president and general manager for systems architecture and engineering at Intel's office of the chief technology officer.

Companies are eager to bring diverse data sets into proprietary data to make internal AI systems more accurate, Rao says. Confidential computing makes sure only authorized data is fed into AI and learning models, and that the data is not pilfered or stolen.

"If you have data coming in from credit card companies, you have data coming in from insurance companies, and you have data coming in from other locations, what you can do is say, 'I'm going to process all of these pieces of data inside of a \[secure\] enclave,'" Rao says.

Intel already had a secure enclave called SGX (Secure Guard Extension), but it recently added Project Amber, a cloud-based service that uses hardware and software techniques to attest and certify the trustworthiness of data.

On its upcoming 4th Generation Xeon Scalable processor, Intel's Project Amber uses instructions called Trust Domain Execution (TDX) to unlock secure enclaves. An Amber engine on one chip generates a numerical code for the secure enclave. If the code provided by the data or program seeking access matches, it is allowed to enter the secure enclave; if not, entry is denied.

**ARM Teams Up With AWS**

At the recent online ARM DevSummit, ARM — whose chip designs are being used by AWS on its Graviton cloud chip — announced it was focusing confidential computing on dynamic "realms" that will order programs and data in separate computational environments.

ARM's latest confidential computing architecture will deepen secure "wells" and make it harder for hackers to pull out data. The company is releasing confidential computing software stacks and guides for implementation in processors coming out over the next two years.

"We're already investing to ensure that you have the tools and software to see the ecosystem for early development," said Gary Campbell, executive vice president for central engineering at ARM, during a keynote at the event.

**AMD and Microsoft Go Open Source**

During a presentation at the AI Hardware Summit in August, Mark Russinovich, Microsoft Azure's chief technology officer, gave an example of how Royal Bank of Canada was using AMD's SEV-SNP confidential computing technology in Azure. The bank's AI model mixed proprietary data sets with information from merchants, consumers, and banks in real time, which helped provide more targeted advertising offerings to its customers.

Confidential computing features such as attestation ensured only the authorized data was mingling with its proprietary data set and not compromising it, Russinovich said.

Nvidia, Microsoft, Google, and AMD are collaborating on Caliptra, an open source specification for chip makers to build confidential computing security blocks into chips and systems.

How Chip Makers Are Implementing Confidential Computing

Dozens of international delegations meet for the second year to share intel, with a goal of stopping ransomware attacks on critical infrastructure.

U.S. officials will meet this week with delegations from more than 36 countries to share intelligence and strategize about how to push back against crippling and costly ransomware attacks against critical infrastructure.

The second-annual ransomware summit will include briefings from intelligence officials on the more than 4,000 cyberattacks that have occurred just over the past 18 months, Biden administration officials told reporters.

In addition to public sector experts, Microsoft and SAP will also contribute their data and analysis as part of their participation in the summit.

Russia, which is the country of origin of many ransomware operations, is not represented at the meetings.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

White House Convenes International Ransomware Summit

Most of the time, Khodjibaev is combing through various dark web forums, ransomware group chats, Russian-speaking websites and other sources trying to learn of attackers’ next moves.

Monday, October 31, 2022 14:10

**A case study in why cybersecurity experience is not a prerequisite to work in security**

Azim Khodjibaev knows all sides of the “security” industry.

That doesn’t just cover cybersecurity, either — he spent the first part of his career ensuring the physical safety of civilians and military personnel, which is about as high-stakes as it gets.

Today, he’s using his knack for tracking physical threats to hunt down other types of threats on the deepest corners of the internet so Talos can stay one step ahead of threat actors.

Khodjibaev is a senior intelligence analyst with Talos’ Threat Intelligence and Interdiction team. The idea of collecting intelligence of all types has been in his life for years — he’s no stranger to geopolitical conflict growing up in the late days of the Soviet Union.

When his family immigrated to the U.S. in the mid-1990s, he knew he wanted to follow a career in political science, which led him to get his bachelor’s degree in international relations. Since then, the word “threats” has meant all sorts of things to Khodjibaev.

He spent several years in different contracting positions with the U.S. government where he worked in counterintelligence research, utilizing his native Russian language to try and warn potential targets of military action, by infiltrating various online networks and tapping other sources to learn as much as possible about adversaries’ plans. Khodjibaev was also a part of the intelligence-gathering operations in the wake of the Boston Marathon bombing in 2013 and spent time tracking the location of improvised explosive devices (IEDs) on real battlefields.

“After doing that for a while, out of the blue, I got a message on LinkedIn that actually looked like a phish because it was too good to be true,” he jokes now.

The message was a Cisco recruiter reaching out to him about a potential job opportunity at Talos in the cybersecurity space, something Khodjibaev had never directly worked in before. But after a successful interview and a promise of further education in the field, he jumped on board with Talos in 2016. One of his first challenges was to translate the infamous BlackEnergy attacks against Ukraine and pass along his findings to the Talos detection team who needed to react quickly to the cyber attack.

“For about three-and-a-half years, I was blind, I had no idea what was going on. I knew nothing about the network structure, and only knew the very basic levels of cybersecurity,” he said.

But by working on a team with cybersecurity-focused researchers, he grew his knowledge of virtual threats and how to apply his intelligence-gathering skills to focus on cyber attacks rather than kinetic ones.

Most of the time, Khodjibaev is combing through various dark web forums, ransomware group chats, Russian-speaking websites and other sources trying to learn of attackers’ next moves.

“Over time, I realized I could contribute to the entire cybersecurity enterprise by building on those human intelligence skills and cyber intelligence skills,” he said.

When Khodjibaev finds a new potential threat or piece of malware, he tries to get it to Talos’ team of reverse engineers and rule writers to write detection as quickly as possible. He also partners with the Outreach team’s researchers to put together public-facing intelligence on the threat, such as one of Talos’ blog posts or intelligence partner alerts.

“As soon as I see something that’s beyond my ability to do something, we have a very specific mechanism that Talos has developed and refined to be speedy, yet accurate, with our detection,” he said.

Most recently, Khodjibaev’s been researching the LockBit ransomware group and regularly updates his Twitter followers about the group’s ongoing developments, even leading to a mini-series of Talos Takes episodes jokingly dubbed “Days of our Ransomware” as he sees drama between these groups play out on message boards, private chats and more.

These can often be very high-risk situations, though, and Khodjibaev continually imperils himself by trying to infiltrate virtual spaces with well-funded and highly skilled threat actors, so one slip-up could make him a personal target of an attack. But it doesn’t deter him from checking as many spaces as possible for the latest developments.

“There have been times when I’ve been legitimately scared because I pushed the envelope too far,” he said. “I am paranoid and careful in a good way where I’m always documenting things. But I’ve pushed the envelope into how far I’ve gone. The bad guys need to understand and learn that if they create a space that has more than one person in it, it’s only a matter of time before someone like me gets in there and takes advantage of that.”

These high-stress situations are admittedly less of a literal life-and-death situation that Khodjibaev used to work in when he would be forced to watch videos or read plans of “violence, abuse, crimes against innocent, defenseless people.”

So, he enjoys the quieter moments of his life where he can either work in his yard at his home or get out and kayak. He’s also a rowing coach for a local high school program.

“Given that unstable childhood I went through \[in the Soviet Union\], I am really into just living a really boring suburban life,” Khodjibaev said.

Now several years into his cybersecurity journey, Khodjibaev said he’s learned that cybersecurity isn’t a problem that can only be solved by looking at raw intelligence like datasets, he more so subscribes to Matt Olney’s, the director of Threat Intelligence and Interdiction at Talos, theory that “cybersecurity is a human problem.”

“I’ve always been a curious person and have always had a low tolerance of malicious activity against people who can’t help themselves,” Khodjibaev said. “Most cybercrime is just that — it’s not these state-sponsored actors, it’s cyber criminals ruining people’s days and targeting hospitals, and schools, and I always wanted to do something about it.”

Researcher Spotlight: How Azim Khodjibaev went from hunting real-world threats to threats on the dark web

Accelerates the safe recovery from ransomware attacks.

**SANTA CLARA, Calif., and PUNE, India, Oct. 31, 2022 /PRNewswire/** — Persistent Systems (BSE: PERSISTENT) (NSE: PERSISTENT), a global Digital Engineering provider, today announced the launch of a trailblazing solution that enables organizations to recover more quickly from cyberattacks. Together with Google Cloud, the Persistent Intelligent Cyber Recovery (PiCR) solution provides a comprehensive and scalable cyber-recovery approach, allowing organizations to reduce data loss and minimize the negative impact to brand reputation from prolonged downtime. Persistent Intelligent Cyber Recovery is now available on the Google Cloud Marketplace.

Hackers are increasing the frequency and scale of ransomware attacks. They are using continually evolving and sophisticated techniques, which makes recovery from attacks more challenging. These attacks may lead to sensitive data leakage, loss of business, and damage to brand reputation. It is crucial for organizations to not only focus on protection against cyber-attacks but also strengthen their recovery process.

Traditional backup and Disaster Recovery (DR) solutions are not designed for recovery from cyber-attacks. Persistent Intelligent Cyber Recovery includes tailored recovery plans, Persistent IP for finding and remediating malware, and the optional managed services to administer the recovery process. Persistent's solution integrates with Google Cloud to provide a secure recovery environment and Google Cloud Backup and DR for protecting the server images.

Persistent Intelligent Cyber Recovery offers the following benefits:

\-- Reduction in data loss  
\-- Decreased risk of recurrent attacks through the removal of malware  
\-- Faster recovery from ransomware and zero-day attacks (from weeks/months  
to hours/days)  
\-- Potential cyber insurance cost reduction  
\-- Scalable solution depending on enterprise size challenges  
Nitha Puthran, Senior Vice President - Cloud, Infrastructure and Security,  
Persistent:

"The digital environment today is constantly evolving and so are the risks associated with it. We are leveraging our strong relationship with Google Cloud and our product engineering expertise to create an industry-leading solution that allows enterprises to recover faster from cyber-attacks, thereby reducing the impact on their business.

"Persistent Intelligent Cyber Recovery combines strategic planning and the creation of playbooks, integration with Google Cloud services and our own IP to find anomalies that indicate malware, remove the malware, and use automation to set up test and production environments to scale. It takes a services and product mindset to create a solution like Persistent Intelligent Cyber Recovery and Persistent is uniquely positioned in the market to deliver both."

Dai Vu, Managing Director, Marketplace and ISV GTM Programs, Google: "As cyber threats become more prevalent, customers need solutions that can help them quickly address and recover from cyber-attacks. With the Persistent's Intelligent Cyber Recovery (PiCR) solution available on Google Cloud Marketplace, customers can quickly deploy PiCR to their Google Cloud environment and utilize it alongside Google Cloud technologies and capabilities to address cyber-attacks quickly and securely."  
**SOURCE:** Persistent Systems

Persistent Launches Cyber-Recovery Solution With Google Cloud

When looking at the scale and scope of worldwide cybercrime, password attacks are the most commonly observed type of threat in a given 60-second period.

Cybercrime is big and still growing bigger. It is often difficult to fully grasp the impact online attacks have had over the past decades. We used data from various Microsoft-owned properties and a mix of external sources to illustrate the scale and scope of worldwide cybercrime. Our comprehensive report on malicious activity highlights what is happening around the world within any given 60-second window.

**Cyberattacks Vary By Type and Focus**

If we’ve learned anything from our examination of last year’s online attacks, it’s that security teams need to be prepared to defend against a wide variety of threats at all times. According to RiskIQ, acquired by Microsoft in 2021, password attacks were far and away the most commonly observed type of threat, clocking in at 34,740 per minute. However, we also saw 1,902 Internet of Things (IoT) attacks and 1,095 distributed denial-of-service (DDoS) attacks during the same 60-second time period.

The threat picture gets even more complex the deeper we dive into internal Microsoft security data. We most commonly blocked email threats, identity threats, and brute-force authorization attacks for our customers.

When we examined a broad range of market data, we uncovered even more attacks. In 2021, seven phishing attacks occurred every minute, one SQL injection attack every two minutes, one new threat infrastructure detection every 35 minutes, one supply chain attack every 44 minutes, and one ransomware attack every 195 minutes. All of this comes together to create a tangled cybercrime landscape that security teams have to contend with.

**What Is the True Cost of Cybercrime?**

Cybercrime is a highly disruptive force, estimated to cause trillions of dollars in damages globally every year. The cost of cybercrime comes from damage done to data and property, stolen assets — including intellectual property — and the disruption of business systems and productivity.

Here’s a breakdown of how much cybercriminals cost businesses and consumers in 2021 per minute:

*   Worldwide economic impact of cybercrime: $1,141,553

*   Global cybersecurity spend: $285,388

*   E-commerce payment fraud losses: $38,052

*   Global ransomware damages: $38,051

*   Total cost of business email compromise: $4,566

*   Amount lost to cryptocurrency scams: $3,615

*   Average cost of breach: $8

*   Average cost of malware attacks: $5

How should enterprises guard against the disruptions and financial losses that come with a cybersecurity breach? They should start by understanding the full scope of the digital landscape that needs to be protected.

**What Should Organizations Expect?**

Threat actors are getting savvier about the tools and methods they use for evading detection, bypassing security systems, and perpetrating attacks. In 2021 there were 79,861 new hosts and 7,620 new IoT devices every minute. Likewise, we discovered 150 new domains, 53 new active LetsEncrypt SSL certificates, and 23 new mobile apps created in the same time period. Each of these additions can potentially act as a doorway for threat actors.

Cloud migrations, new digital initiatives, and shadow IT all widen the attack surface. At the enterprise level, that can mean a vast estate spanning multiple clouds and massively complex ecosystems. Meanwhile, cheap infrastructure and flourishing cybercrime economies grow the threat landscape that organizations, in turn, must track. Organizations need to ensure they’re one step ahead by creating a more holistic cybersecurity strategy that protects their operations on all fronts.

To gain control of this dynamic threat landscape, security teams must keep a pulse on new and emerging threats, the latest cybercrime tactics, and the leading tools at their disposal. Microsoft tracks more than 43 trillion signals every day to develop dynamic, hyper-relevant threat intelligence that evolves with the attack surface and helps us to detect and respond to threats rapidly. Our customers can access this intelligence directly to create a deep and unique view of the threat landscape, a 360-degree understanding of their exposure to it, and tools to mitigate and respond.

A Cyber Threat Minute: Cybercrime’s Scope in 60-Second Snapshots

An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4000_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cmm_open() and cm4000_detach().

From: Hyunwoo Kim <imv4bel@gmail.com>
To: Arnd Bergmann <arnd@arndb.de>,
	laforge@gnumonks.org, gregkh@linuxfoundation.org
Cc: "Ilpo Järvinen" <ilpo.jarvinen@linux.intel.com>,
	linux-kernel@vger.kernel.org,
	"Dominik Brodowski" <linux@dominikbrodowski.net>,
	"Paul Fulghum" <paulkf@microgate.com>,
	akpm@osdl.org, imv4bel@gmail.com
Subject: Re: \[PATCH\] pcmcia: synclink\_cs: Fix use-after-free in mgslpc\_ioctl()
Date: Wed, 14 Sep 2022 19:08:34 -0700	\[thread overview\]
Message-ID: <20220915020834.GA110086@ubuntu> (raw)
In-Reply-To: <a8a9fd74-4ee5-4619-8492-be7139e6d48e@www.fastmail.com\>

The previous mailing list is here:
https://lore.kernel.org/lkml/20220913052020.GA85241@ubuntu/#r

There are 3 other pcmica drivers in the path "drivers/char/pcmcia/synclink\_cs.c", 
the path of the "synclink\_cs.c" driver I reported the UAF to.
A similar UAF occurs in the "cm4000\_cs.c" and "cm4040\_cs.c" drivers. 
(this does not happen in scr24x\_cs.c)

The flow of UAF occurrence in cm4040\_cs.c driver is as follows:
\`\`\`
                cpu0                                                cpu1
       1. open()
          cm4040\_open()
                                                             2. reader\_detach()
                                                                reader\_release()
                                                                cm4040\_reader\_release()
                                                                while (link->open) { ...
       3. link->open = 1;
                                                             4. kfree(dev);
                                                                device\_destroy()
       5. read()   <- device\_destroy() was called, but read() can be called because fd is open
          cm4040\_read()
          int iobase = dev->p\_dev->resource\[0\]->start;   <- UAF
\`\`\`
In cm4040\_open() function, link->open is set to 1.
And in the .remove callback reader\_detach() function, if link->open is 1, 
cm4040\_close() is called and wait()s until link->open becomes 0.
However, if the above race condition occurs in these two functions, 
the link->open check in reader\_detach() can be bypassed.
After that, you can call read() on the task that acquired fd to raise a 
UAF for the kfree()d "dev".


The flow of UAF occurrence in cm4000\_cs.c driver is as follows:

\`\`\`
                cpu0                                                cpu1
       1. open()
          cmm\_open()
                                                             2. cm4000\_detach()
                                                                stop\_monitor()
                                                                if (dev->monitor\_running) { ...
       3. start\_monitor()
          dev->monitor\_running = 1;
                                                             4. cm4000\_release()
                                                                cmm\_cm4000\_release()
                                                                while (link->open) { ...
       5. link->open = 1;
                                                             6. kfree(dev);
                                                                device\_destroy()
       7. read()   <- device\_destroy() was called, but read() can be called because fd is open
          cmm\_read()
          unsigned int iobase = dev->p\_dev->resource\[0\]->start;   <- UAF
\`\`\`
In the cm4000\_cs.c driver, the race condition flow is tricky because of 
the start/stop\_monitor() functions.

The overall flow is similar to cm4040\_cs.c.
Added one race condition to bypass the "dev->monitor\_running" check.


So, should the above two drivers be removed from the kernel like the synclink\_cs.c driver?

Or should I submit a patch that fixes the UAF?


Best Regards,
Hyunwoo Kim.

next prev parent reply	other threads:\[~2022-09-15  2:08 UTC|newest\]

**Thread overview:** 10+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
2022-09-13  5:20 \[PATCH\] pcmcia: synclink\_cs: Fix use-after-free in mgslpc\_ioctl() Hyunwoo Kim
2022-09-13 14:59 \` Arnd Bergmann
2022-09-13 15:14   \` Paul Fulghum
2022-09-13 15:43     \` Hyunwoo Kim
**2022-09-15  2:08   \` Hyunwoo Kim \[this message\]**
2022-09-15  7:35     \` Arnd Bergmann
2022-09-15  8:02       \` Dominik Brodowski
2022-09-15  9:00         \` Hyunwoo Kim
2022-09-16  5:03         \` Hyunwoo Kim
2022-09-15 14:05       \` Harald Welte

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20220915020834.GA110086@ubuntu \\
    --to=imv4bel@gmail.com \\
    --cc=akpm@osdl.org \\
    --cc=arnd@arndb.de \\
    --cc=gregkh@linuxfoundation.org \\
    --cc=ilpo.jarvinen@linux.intel.com \\
    --cc=laforge@gnumonks.org \\
    --cc=linux-kernel@vger.kernel.org \\
    --cc=linux@dominikbrodowski.net \\
    --cc=paulkf@microgate.com \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2022-44032: Re: [PATCH] pcmcia: synclink_cs: Fix use-after-free in mgslpc_ioctl()

An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/scr24x_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between scr24x_open() and scr24x_remove().

From: Hyunwoo Kim <imv4bel@gmail.com>
To: lkundrak@v3.sk
Cc: linux-kernel@vger.kernel.org, imv4bel@gmail.com, arnd@arndb.de,
	gregkh@linuxfoundation.org, linux@dominikbrodowski.net
Subject: \[PATCH v5\] char: pcmcia: scr24x\_cs: Fix use-after-free in scr24x\_fops
Date: Mon, 19 Sep 2022 03:18:25 -0700	\[thread overview\]
Message-ID: <20220919101825.GA313940@ubuntu> (raw)

A race condition may occur if the user physically removes the
pcmcia device while calling open() for this char device node.

This is a race condition between the scr24x\_open() function and
the scr24x\_remove() function, which may eventually result in UAF.

So, add a mutex to the scr24x\_open() and scr24x\_remove() functions
to avoid race contidion of krefs.

Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Reported-by: kernel test robot <lkp@intel.com>
---
v2: fixed issue using dev's member mutex which can be freed after kref\_put()
v3: fixed using "removed" member of dev that could be freed after kref\_put()
v4: fix issue referencing uninitialized dev in scr24x\_open() function
v5: Fix patch reporting email format
---
 drivers/char/pcmcia/scr24x\_cs.c | 73 +++++++++++++++++++++++----------
 1 file changed, 52 insertions(+), 21 deletions(-)

diff --git a/drivers/char/pcmcia/scr24x\_cs.c b/drivers/char/pcmcia/scr24x\_cs.c
index 1bdce08fae3d..039d44ee0ebe 100644
--- a/drivers/char/pcmcia/scr24x\_cs.c
+++ b/drivers/char/pcmcia/scr24x\_cs.c
@@ -33,6 +33,7 @@
 
 struct scr24x\_dev {
 	struct device \*dev;
+	struct pcmcia\_device \*p\_dev;
 	struct cdev c\_dev;
 	unsigned char buf\[CCID\_MAX\_LEN\];
 	int devno;
@@ -42,15 +43,31 @@ struct scr24x\_dev {
 };
 
 #define SCR24X\_DEVS 8
\-static DECLARE\_BITMAP(scr24x\_minors, SCR24X\_DEVS);
+static struct pcmcia\_device \*dev\_table\[SCR24X\_DEVS\];
+static DEFINE\_MUTEX(remove\_mutex);
 
 static struct class \*scr24x\_class;
 static dev\_t scr24x\_devt;
 
 static void scr24x\_delete(struct kref \*kref)
 {
\-	struct scr24x\_dev \*dev = container\_of(kref, struct scr24x\_dev,
-								refcnt);
+	struct scr24x\_dev \*dev = container\_of(kref, struct scr24x\_dev, refcnt);
+	struct pcmcia\_device \*link = dev->p\_dev;
+	int devno;
+
+	for (devno = 0; devno < SCR24X\_DEVS; devno++) {
+		if (dev\_table\[devno\] == link)
+			break;
+	}
+	if (devno == SCR24X\_DEVS)
+		return;
+
+	device\_destroy(scr24x\_class, MKDEV(MAJOR(scr24x\_devt), dev->devno));
+	mutex\_lock(&dev->lock);
+	pcmcia\_disable\_device(link);
+	cdev\_del(&dev->c\_dev);
+	dev->dev = NULL;
+	mutex\_unlock(&dev->lock);
 
 	kfree(dev);
 }
@@ -73,11 +90,24 @@ static int scr24x\_wait\_ready(struct scr24x\_dev \*dev)
 
 static int scr24x\_open(struct inode \*inode, struct file \*filp)
 {
\-	struct scr24x\_dev \*dev = container\_of(inode->i\_cdev,
-				struct scr24x\_dev, c\_dev);
+	struct scr24x\_dev \*dev;
+	struct pcmcia\_device \*link;
+	int minor = iminor(inode);
+
+	if (minor >= SCR24X\_DEVS)
+		return -ENODEV;
+
+	mutex\_lock(&remove\_mutex);
+	link = dev\_table\[minor\];
+	if (link == NULL) {
+		mutex\_unlock(&remove\_mutex);
+		return -ENODEV;
+	}
 
+	dev = link->priv;
 	kref\_get(&dev->refcnt);
 	filp->private\_data = dev;
+	mutex\_unlock(&remove\_mutex);
 
 	return stream\_open(inode, filp);
 }
@@ -232,24 +262,31 @@ static int scr24x\_config\_check(struct pcmcia\_device \*link, void \*priv\_data)
 static int scr24x\_probe(struct pcmcia\_device \*link)
 {
 	struct scr24x\_dev \*dev;
\-	int ret;
+	int i, ret;
+
+	for (i = 0; i < SCR24X\_DEVS; i++) {
+		if (dev\_table\[i\] == NULL)
+			break;
+	}
+
+	if (i == SCR24X\_DEVS)
+		return -ENODEV;
 
 	dev = kzalloc(sizeof(\*dev), GFP\_KERNEL);
 	if (!dev)
 		return -ENOMEM;
 
\-	dev->devno = find\_first\_zero\_bit(scr24x\_minors, SCR24X\_DEVS);
-	if (dev->devno >= SCR24X\_DEVS) {
-		ret = -EBUSY;
-		goto err;
-	}
+	dev->devno = i;
 
 	mutex\_init(&dev->lock);
 	kref\_init(&dev->refcnt);
 
 	link->priv = dev;
+	dev->p\_dev = link;
 	link->config\_flags |= CONF\_ENABLE\_IRQ | CONF\_AUTO\_SET\_IO;
 
+	dev\_table\[i\] = link;
+
 	ret = pcmcia\_loop\_config(link, scr24x\_config\_check, NULL);
 	if (ret < 0)
 		goto err;
@@ -282,8 +319,8 @@ static int scr24x\_probe(struct pcmcia\_device \*link)
 	return 0;
 
 err:
\-	if (dev->devno < SCR24X\_DEVS)
-		clear\_bit(dev->devno, scr24x\_minors);
+	dev\_table\[i\] = NULL;
+
 	kfree (dev);
 	return ret;
 }
@@ -292,15 +329,9 @@ static void scr24x\_remove(struct pcmcia\_device \*link)
 {
 	struct scr24x\_dev \*dev = (struct scr24x\_dev \*)link->priv;
 
\-	device\_destroy(scr24x\_class, MKDEV(MAJOR(scr24x\_devt), dev->devno));
-	mutex\_lock(&dev->lock);
-	pcmcia\_disable\_device(link);
-	cdev\_del(&dev->c\_dev);
-	clear\_bit(dev->devno, scr24x\_minors);
-	dev->dev = NULL;
-	mutex\_unlock(&dev->lock);
-
+	mutex\_lock(&remove\_mutex);
 	kref\_put(&dev->refcnt, scr24x\_delete);
+	mutex\_unlock(&remove\_mutex);
 }
 
 static const struct pcmcia\_device\_id scr24x\_ids\[\] = {

base-commit: 521a547ced6477c54b4b0cc206000406c221b4d6
-- 
2.25.1

                 reply	other threads:\[~2022-09-19 10:26 UTC|newest\]

**Thread overview:** \[no followups\] expand\[flat|nested\]  mbox.gz  Atom feed

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20220919101825.GA313940@ubuntu \\
    --to=imv4bel@gmail.com \\
    --cc=arnd@arndb.de \\
    --cc=gregkh@linuxfoundation.org \\
    --cc=linux-kernel@vger.kernel.org \\
    --cc=linux@dominikbrodowski.net \\
    --cc=lkundrak@v3.sk \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

Tag

#intel