In KeePassXC through 2.7.5, a local attacker can make changes to the Database security settings, including master password and second-factor authentication, within an authenticated KeePassXC Database session, without the need to authenticate these changes by entering the password and/or second-factor authentication to confirm changes.

**Overview**

Having set up a YubiKey for my Two-Factor-Authentication i noticed that a confirmation through the set up second-factor is not required when making changes to security-settings within that KeePassXC-Database.

**Steps to Reproduce**

1.  In Database-settings/Security set up a YubiKey Challenge-Response
2.  Create a new Entry
3.  Confirm with YubiKey Challenge-Response
4.  Go back to Database-settings/Security
5.  Remove YubiKey Challenge-Response

**Expected Behavior**

Imperative authentication through YubiKey Challenge-Response when making security-related changes to database settings.

**Actual Behavior**

No Two-Factor-Authentication required, while it is set up.

**Context**

This is a similar but different issue like 9339.

KeePassXC - 2.7.4  
Operating System: Linux

CVE-2023-35866: Insecure Two-Factor-Authentication settings modification · Issue #9391 · keepassxreboot/keepassxc

VirtualSquare picoTCP (aka PicoTCP-NG) through 2.1 lacks certain size calculations before attempting to set a value of an mss structure member.

Expand Up @@ -868,6 +868,9 @@ static inline void tcp\_parse\_option\_mss(struct pico\_socket\_tcp \*t, uint8\_t len, if (tcpopt\_len\_check(idx, len, PICO\_TCPOPTLEN\_MSS) < 0) return;  
if ((\*idx + PICO\_TCPOPTLEN\_MSS) > len) return;  
t->mss\_ok = 1; mss = short\_from(opt + \*idx); \*idx += (uint32\_t)sizeof(uint16\_t); Expand Down Expand Up @@ -896,6 +899,10 @@ static int tcp\_parse\_options(struct pico\_frame \*f) uint8\_t \*opt = f->transport\_hdr + PICO\_SIZE\_TCPHDR; uint32\_t i = 0; f->timestamp = 0;  
if (f->buffer + f->buffer\_len > f->transport\_hdr + f->transport\_len) return -1;  
while (i < (f->transport\_len - PICO\_SIZE\_TCPHDR)) { uint8\_t type = opt\[i++\]; uint8\_t len; Expand Down Expand Up @@ -1085,7 +1092,11 @@ struct pico\_socket \*pico\_tcp\_open(struct pico\_stack \*S, uint16\_t family) t->sock.stack = S; t->sock.timestamp = TCP\_TIME; pico\_socket\_set\_family(&t->sock, family); t->mss = (uint16\_t)(pico\_socket\_get\_mss(&t->sock) - PICO\_SIZE\_TCPHDR); t->mss = (uint16\_t)(pico\_socket\_get\_mss(&t->sock)); if (t->mss > PICO\_SIZE\_TCPHDR + PICO\_TCP\_MIN\_MSS) t->mss -= (uint16\_t)PICO\_SIZE\_TCPHDR; else t->mss = PICO\_TCP\_MIN\_MSS; t->tcpq\_in.pool.root = t->tcpq\_hold.pool.root = t->tcpq\_out.pool.root = &LEAF; t->tcpq\_hold.pool.compare = t->tcpq\_out.pool.compare = segment\_compare; t->tcpq\_in.pool.compare = input\_segment\_compare; Expand Down Expand Up @@ -1254,7 +1265,10 @@ int pico\_tcp\_initconn(struct pico\_socket \*s) ts->snd\_last = ts->snd\_nxt; ts->cwnd = PICO\_TCP\_IW; mtu = (uint16\_t)pico\_socket\_get\_mss(s); ts->mss = (uint16\_t)(mtu - PICO\_SIZE\_TCPHDR); if (mtu > PICO\_SIZE\_TCPHDR + PICO\_TCP\_MIN\_MSS) ts->mss = (uint16\_t)(mtu - PICO\_SIZE\_TCPHDR); else ts->mss = PICO\_TCP\_MIN\_MSS; ts->ssthresh = (uint16\_t)((uint16\_t)(PICO\_DEFAULT\_SOCKETQ / ts->mss) - (((uint16\_t)(PICO\_DEFAULT\_SOCKETQ / ts->mss)) >> 3u)); syn->sock = s; hdr->seq = long\_be(ts->snd\_nxt); Expand Down Expand Up @@ -2446,7 +2460,10 @@ static int tcp\_syn(struct pico\_socket \*s, struct pico\_frame \*f) #endif f->sock = &new->sock; mtu = (uint16\_t)pico\_socket\_get\_mss(&new->sock); new->mss = (uint16\_t)(mtu - PICO\_SIZE\_TCPHDR); if (mtu > PICO\_SIZE\_TCPHDR + PICO\_TCP\_MIN\_MSS) new->mss = (uint16\_t)(mtu - PICO\_SIZE\_TCPHDR); else new->mss = PICO\_TCP\_MIN\_MSS; if (tcp\_parse\_options(f) < 0) return -1; new->sock.stack = s->stack; Expand Down

CVE-2023-35848: Various fixes on size calculation by danielinux · Pull Request #15 · virtualsquare/picotcp

An issue was discovered in the Linux kernel before 6.3.4. A use-after-free was found in r592_remove in drivers/memstick/host/r592.c.

CVE-2023-35825

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c.

From: Hans Verkuil <hverkuil@xs4all.nl>
To: Linux Media Mailing List <linux-media@vger.kernel.org>
Cc: "Milen Mitkov (Consultant)" <quic\_mmitkov@quicinc.com>,
	"Niklas Söderlund" <niklas.soderlund+renesas@ragnatech.se>
Subject: \[GIT PULL FOR v6.4\] Various fixes/enhancements
Date: Tue, 21 Mar 2023 16:17:47 +0100	\[thread overview\]
Message-ID: <49bb0b6a-e669-d4e7-d742-a19d2763e947@xs4all.nl> (raw)

The following changes since commit 71937240a472ee551ac8de0e7429b9d49884a388:

  media: ov2685: Select VIDEO\_V4L2\_SUBDEV\_API (2023-03-20 16:32:18 +0100)

are available in the Git repository at:

  git://linuxtv.org/hverkuil/media\_tree.git tags/br-v6.4g

for you to fetch changes up to dacc09862467123c7e5ac45b131e77aafa54fe96:

  media: au0828: remove unnecessary (void\*) conversions (2023-03-21 15:49:12 +0100)

----------------------------------------------------------------
Tag branch

----------------------------------------------------------------
Milen Mitkov (4):
      media: camss: sm8250: Virtual channels for CSID
      media: camss: vfe: Reserve VFE lines on stream start and link to CSID
      media: camss: vfe-480: Multiple outputs support for SM8250
      media: camss: sm8250: Pipeline starting and stopping for multiple virtual channels

Niklas Söderlund (3):
      media: i2c: adv748x: Fix lookup of DV timings
      media: i2c: adv748x: Write initial DV timings to device
      media: i2c: adv748x: Report correct DV timings for pattern generator

Oliver Neukum (1):
      usbtv: usbtv\_set\_regs: the pipe is output

Yang Li (1):
      media: atmel: atmel-isc: Use devm\_platform\_ioremap\_resource()

Yu Zhe (1):
      media: au0828: remove unnecessary (void\*) conversions

Zheng Wang (2):
      media: dm1105: Fix use after free bug in dm1105\_remove due to race condition
      media: saa7134: fix use after free bug in saa7134\_finidev due to race condition

 drivers/media/i2c/adv748x/adv748x-hdmi.c                   | 21 +++++++++++++++------
 drivers/media/pci/dm1105/dm1105.c                          |  1 +
 drivers/media/pci/saa7134/saa7134-ts.c                     |  1 +
 drivers/media/pci/saa7134/saa7134-vbi.c                    |  1 +
 drivers/media/pci/saa7134/saa7134-video.c                  |  1 +
 drivers/media/platform/qcom/camss/camss-csid-gen2.c        | 54 ++++++++++++++++++++++++++++++++++--------------------
 drivers/media/platform/qcom/camss/camss-csid.c             | 44 +++++++++++++++++++++++++++++++-------------
 drivers/media/platform/qcom/camss/camss-csid.h             | 11 +++++++++--
 drivers/media/platform/qcom/camss/camss-vfe-170.c          |  4 ++--
 drivers/media/platform/qcom/camss/camss-vfe-480.c          | 61 ++++++++++++++++++++++++++++++++++++++++---------------------
 drivers/media/platform/qcom/camss/camss-vfe-gen1.c         |  4 ++--
 drivers/media/platform/qcom/camss/camss-vfe.c              |  1 +
 drivers/media/platform/qcom/camss/camss-video.c            | 21 ++++++++++++++++++---
 drivers/media/platform/qcom/camss/camss.c                  |  2 +-
 drivers/media/usb/au0828/au0828-core.c                     |  2 +-
 drivers/media/usb/au0828/au0828-dvb.c                      |  4 ++--
 drivers/media/usb/usbtv/usbtv-core.c                       |  2 +-
 drivers/staging/media/deprecated/atmel/atmel-sama5d2-isc.c |  4 +---
 drivers/staging/media/deprecated/atmel/atmel-sama7g5-isc.c |  4 +---
 19 files changed, 163 insertions(+), 80 deletions(-)

next             reply	other threads:\[~2023-03-21 15:18 UTC|newest\]

**Thread overview:** 2+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
**2023-03-21 15:17 Hans Verkuil \[this message\]**
2023-03-21 15:57 \` \[GIT PULL FOR v6.4\] Various fixes/enhancements (#90583) Jenkins

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=49bb0b6a-e669-d4e7-d742-a19d2763e947@xs4all.nl \\
    --to=hverkuil@xs4all.nl \\
    --cc=linux-media@vger.kernel.org \\
    --cc=niklas.soderlund+renesas@ragnatech.se \\
    --cc=quic\_mmitkov@quicinc.com \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2023-35824: [GIT PULL FOR v6.4] Various fixes/enhancements

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in cedrus_remove in drivers/staging/media/sunxi/cedrus/cedrus.c.

CVE-2023-35826

\* **\[PATCH\] media: cedrus: fix use after free bug in cedrus\_remove due to race condition**
**@ 2023-03-08  3:23 Zheng Wang**
  0 siblings, 0 replies; only message in thread
From: Zheng Wang @ 2023-03-08  3:23 UTC (permalink / raw)
  To: mchehab
  Cc: wens, jernej.skrabec, samuel, linux-media, linux-staging,
	linux-arm-kernel, linux-sunxi, linux-kernel, hackerzheng666,
	1395428693sheep, alex000young, Zheng Wang

In cedrus\_probe, dev->watchdog\_work is bound with cedrus\_watchdog function.
In cedrus\_device\_run, it will started by schedule\_delayed\_work. If there is
unfinished work in cedrus\_remove, there may be a race condition and trigger
UAF bug.

CPU0                  CPU1

                    |cedrus\_watchdog
cedrus\_remove       |
  v4l2\_m2m\_release  |
  kfree(m2m\_dev)    |
                    |
                    | v4l2\_m2m\_get\_curr\_priv
                    |   m2m\_dev //use

Fix it by canceling the worker in cedrus\_remove.

Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
 drivers/staging/media/sunxi/cedrus/cedrus.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/media/sunxi/cedrus/cedrus.c b/drivers/staging/media/sunxi/cedrus/cedrus.c
index a43d5ff66716..c95d011c0817 100644
--- a/drivers/staging/media/sunxi/cedrus/cedrus.c
+++ b/drivers/staging/media/sunxi/cedrus/cedrus.c
@@ -546,7 +546,7 @@ static int cedrus\_probe(struct platform\_device \*pdev)
 static int cedrus\_remove(struct platform\_device \*pdev)
 {
 	struct cedrus\_dev \*dev = platform\_get\_drvdata(pdev);
\-
+	cancel\_delayed\_work(&dev->watchdog\_work);
 	if (media\_devnode\_is\_registered(dev->mdev.devnode)) {
 		media\_device\_unregister(&dev->mdev);
 		v4l2\_m2m\_unregister\_media\_controller(dev->m2m\_dev);
-- 
2.25.1


\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply related	\[**flat**|nested\] only message in thread

only message in thread, other threads:\[~2023-03-08  3:24 UTC | newest\]

**Thread overview:** (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-08  3:23 \[PATCH\] media: cedrus: fix use after free bug in cedrus\_remove due to race condition Zheng Wang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2023-35826: fix use after free bug in cedrus_remove due to race condition

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c.

\* **\[PATCH v7\] usb: gadget: udc: renesas\_usb3: Fix use after free bug in  renesas\_usb3\_remove due to race condition**
**@ 2023-03-16 18:08 Zheng Wang**
  2023-03-16 19:07 \` Greg KH
  0 siblings, 1 reply; 3+ messages in thread
From: Zheng Wang @ 2023-03-16 18:08 UTC (permalink / raw)
  To: gregkh
  Cc: skhan, p.zabel, biju.das.jz, phil.edworthy, linux-usb,
	linux-kernel, hackerzheng666, 1395428693sheep, alex000young,
	yoshihiro.shimoda.uh, Zheng Wang

In renesas\_usb3\_probe, role\_work is bound with renesas\_usb3\_role\_work.
renesas\_usb3\_start will be called to start the work.

If we remove the driver which will call usbhs\_remove, there may be
an unfinished work. The possible sequence is as follows:

Fix it by canceling the work before cleanup in the renesas\_usb3\_remove.

Note that removing a driver is a root-only operation, and should never
happen.

CPU0                  			CPU1

                    			| renesas\_usb3\_role\_work
renesas\_usb3\_remove 			|
usb\_role\_switch\_unregister|
device\_unregister   			|
kfree(sw)  	     					|
free usb3->role\_sw  			|
                    			| usb\_role\_switch\_set\_role
                    			| //use usb3->role\_sw

This bug was found by static analysis.

Fixes: 39facfa01c9f ("usb: gadget: udc: renesas\_usb3: Add register of usb role switch")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
---
v7:
- add more details about how the bug was found suggested by Shuah
v6:
- beautify the format and add note suggested by Greg KH
v5:
- fix typo
v4:
- add Reviewed-by label and resubmit v4 suggested by Greg KH
v3:
- modify the commit message to make it clearer suggested by Yoshihiro Shimoda
v2:
- fix typo, use clearer commit message and only cancel the UAF-related work suggested by Yoshihiro Shimoda
---
 drivers/usb/gadget/udc/renesas\_usb3.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/gadget/udc/renesas\_usb3.c b/drivers/usb/gadget/udc/renesas\_usb3.c
index bee6bceafc4f..a301af66bd91 100644
--- a/drivers/usb/gadget/udc/renesas\_usb3.c
+++ b/drivers/usb/gadget/udc/renesas\_usb3.c
@@ -2661,6 +2661,7 @@ static int renesas\_usb3\_remove(struct platform\_device \*pdev)
 	debugfs\_remove\_recursive(usb3->dentry);
 	device\_remove\_file(&pdev->dev, &dev\_attr\_role);
 
+	cancel\_work\_sync(&usb3->role\_work);
 	usb\_role\_switch\_unregister(usb3->role\_sw);
 
 	usb\_del\_gadget\_udc(&usb3->gadget);
-- 
2.25.1

^ permalink raw reply related	\[**flat**|nested\] 3+ messages in thread

\* **Re: \[PATCH v7\] usb: gadget: udc: renesas\_usb3: Fix use after free bug in  renesas\_usb3\_remove due to race condition**
  2023-03-16 18:08 \[PATCH v7\] usb: gadget: udc: renesas\_usb3: Fix use after free bug in renesas\_usb3\_remove due to race condition Zheng Wang
**@ 2023-03-16 19:07 \` Greg KH**
  2023-03-17  3:59   \` Zheng Hacker
  0 siblings, 1 reply; 3+ messages in thread
From: Greg KH @ 2023-03-16 19:07 UTC (permalink / raw)
  To: Zheng Wang
  Cc: skhan, p.zabel, biju.das.jz, phil.edworthy, linux-usb,
	linux-kernel, hackerzheng666, 1395428693sheep, alex000young,
	yoshihiro.shimoda.uh

On Fri, Mar 17, 2023 at 02:08:50AM +0800, Zheng Wang wrote:
\> In renesas\_usb3\_probe, role\_work is bound with renesas\_usb3\_role\_work.
> renesas\_usb3\_start will be called to start the work.
> 
> If we remove the driver which will call usbhs\_remove, there may be
> an unfinished work. The possible sequence is as follows:
> 
> Fix it by canceling the work before cleanup in the renesas\_usb3\_remove.
> 
> Note that removing a driver is a root-only operation, and should never
> happen.
> 
> CPU0                  			CPU1
> 
>                     			| renesas\_usb3\_role\_work
> renesas\_usb3\_remove 			|
> usb\_role\_switch\_unregister|
> device\_unregister   			|
> kfree(sw)  	     					|
> free usb3->role\_sw  			|
>                     			| usb\_role\_switch\_set\_role
>                     			| //use usb3->role\_sw
This still isn't working :(

^ permalink raw reply	\[**flat**|nested\] 3+ messages in thread

\* **Re: \[PATCH v7\] usb: gadget: udc: renesas\_usb3: Fix use after free bug in renesas\_usb3\_remove due to race condition**
  2023-03-16 19:07 \` Greg KH
**@ 2023-03-17  3:59   \` Zheng Hacker**
  0 siblings, 0 replies; 3+ messages in thread
From: Zheng Hacker @ 2023-03-17  3:59 UTC (permalink / raw)
  To: Greg KH
  Cc: Zheng Wang, skhan, p.zabel, biju.das.jz, phil.edworthy,
	linux-usb, linux-kernel, 1395428693sheep, alex000young,
	yoshihiro.shimoda.uh

Greg KH <gregkh@linuxfoundation.org> 于2023年3月17日周五 03:07写道：
\>
> On Fri, Mar 17, 2023 at 02:08:50AM +0800, Zheng Wang wrote:
> > In renesas\_usb3\_probe, role\_work is bound with renesas\_usb3\_role\_work.
> > renesas\_usb3\_start will be called to start the work.
> >
> > If we remove the driver which will call usbhs\_remove, there may be
> > an unfinished work. The possible sequence is as follows:
> >
> > Fix it by canceling the work before cleanup in the renesas\_usb3\_remove.
> >
> > Note that removing a driver is a root-only operation, and should never
> > happen.
> >
> > CPU0                                          CPU1
> >
> >                                       | renesas\_usb3\_role\_work
> > renesas\_usb3\_remove                   |
> > usb\_role\_switch\_unregister|
> > device\_unregister                     |
> > kfree(sw)                                             |
> > free usb3->role\_sw                    |
> >                                       | usb\_role\_switch\_set\_role
> >                                       | //use usb3->role\_sw
>
> This still isn't working :(
>
Sorry I haven't read your advice when submiting this version of patch.

Best Regards,
Zheng

^ permalink raw reply	\[**flat**|nested\] 3+ messages in thread

end of thread, other threads:\[~2023-03-17  4:00 UTC | newest\]

**Thread overview:** 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-16 18:08 \[PATCH v7\] usb: gadget: udc: renesas\_usb3: Fix use after free bug in renesas\_usb3\_remove due to race condition Zheng Wang
2023-03-16 19:07 \` Greg KH
2023-03-17  3:59   \` Zheng Hacker

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2023-35828: Fix use after free bug in renesas_usb3_remove due to race condition

CVE-2023-35828

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in rkvdec_remove in drivers/staging/media/rkvdec/rkvdec.c.

\* **\[PATCH\] media: rkvdec: fix use after free bug in rkvdec\_remove**
**@ 2023-03-07 17:39 Zheng Wang**
  0 siblings, 0 replies; only message in thread
From: Zheng Wang @ 2023-03-07 17:39 UTC (permalink / raw)
  To: ezequiel
  Cc: mchehab, gregkh, linux-media, linux-rockchip, linux-staging,
	linux-kernel, hackerzheng666, 1395428693sheep, alex000young,
	Zheng Wang

In rkvdec\_probe, rkvdec->watchdog\_work is bound with
rkvdec\_watchdog\_func. Then rkvdec\_vp9\_run may
be called to start the work.

If we remove the module which will call rkvdec\_remove
 to make cleanup, there may be a unfinished work.
 The possible sequence is as follows, which will
 cause a typical UAF bug.

Fix it by canceling the work before cleanup in rkvdec\_remove.

CPU0                  CPU1

                    |rkvdec\_watchdog\_func
rkvdec\_remove       |
 rkvdec\_v4l2\_cleanup|
  v4l2\_m2m\_release  |
    kfree(m2m\_dev); |
                    |
                    | v4l2\_m2m\_get\_curr\_priv
                    |   m2m\_dev->curr\_ctx //use

Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
 drivers/staging/media/rkvdec/rkvdec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/staging/media/rkvdec/rkvdec.c b/drivers/staging/media/rkvdec/rkvdec.c
index 7bab7586918c..6b14655a8e2c 100644
--- a/drivers/staging/media/rkvdec/rkvdec.c
+++ b/drivers/staging/media/rkvdec/rkvdec.c
@@ -1066,6 +1066,7 @@ static int rkvdec\_remove(struct platform\_device \*pdev)
 {
 	struct rkvdec\_dev \*rkvdec = platform\_get\_drvdata(pdev);
 
+	cancel\_delayed\_work(&rkvdec->watchdog\_work);
 	rkvdec\_v4l2\_cleanup(rkvdec);
 	pm\_runtime\_disable(&pdev->dev);
 	pm\_runtime\_dont\_use\_autosuspend(&pdev->dev);
-- 
2.25.1

^ permalink raw reply related	\[**flat**|nested\] only message in thread

only message in thread, other threads:\[~2023-03-07 17:46 UTC | newest\]

**Thread overview:** (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-07 17:39 \[PATCH\] media: rkvdec: fix use after free bug in rkvdec\_remove Zheng Wang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2023-35829: fix use after free bug in rkvdec_remove

An issue was discovered in the Linux kernel through 6.3.8. A use-after-free was found in ravb_remove in drivers/net/ethernet/renesas/ravb_main.c.

In ravb\_probe, priv->work was bound with ravb\_tx\_timeout\_work.
If timeout occurs, it will start the work. And if we call
ravb\_remove without finishing the work, ther may be a use
after free bug on ndev.

Fix it by finishing the job before cleanup in ravb\_remove.

Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
---
 drivers/net/ethernet/renesas/ravb\_main.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/ethernet/renesas/ravb\_main.c b/drivers/net/ethernet/renesas/ravb\_main.c
index 0f54849a3823..07a08e72f440 100644
--- a/drivers/net/ethernet/renesas/ravb\_main.c
+++ b/drivers/net/ethernet/renesas/ravb\_main.c
@@ -2892,6 +2892,7 @@ static int ravb\_remove(struct platform\_device \*pdev)
 	struct ravb\_private \*priv = netdev\_priv(ndev);
 	const struct ravb\_hw\_info \*info = priv->info;
 
+	cancel\_work\_sync(&priv->work);
 	/\* Stop PTP Clock driver \*/
 	if (info->ccc\_gac)
 		ravb\_ptp\_stop(ndev);
-- 
2.25.1

Tag

#linux