cve/published/2022/CVE-2022-48759.mbox

From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2022-48759: rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev

struct rpmsg_ctrldev contains a struct cdev. The current code frees
the rpmsg_ctrldev struct in rpmsg_ctrldev_release_device(), but the
cdev is a managed object, therefore its release is not predictable
and the rpmsg_ctrldev could be freed before the cdev is entirely
released, as in the backtrace below.

[   93.625603] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x7c
[   93.636115] WARNING: CPU: 0 PID: 12 at lib/debugobjects.c:488 debug_print_object+0x13c/0x1b0
[   93.644799] Modules linked in: veth xt_cgroup xt_MASQUERADE rfcomm algif_hash algif_skcipher af_alg uinput ip6table_nat fuse uvcvideo videobuf2_vmalloc venus_enc venus_dec videobuf2_dma_contig hci_uart btandroid btqca snd_soc_rt5682_i2c bluetooth qcom_spmi_temp_alarm snd_soc_rt5682v
[   93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G    B             5.4.163-lockdep #26
[   93.723855] Hardware name: Google Lazor (rev3 - 8) with LTE (DT)
[   93.730055] Workqueue: events kobject_delayed_cleanup
[   93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO)
[   93.740216] pc : debug_print_object+0x13c/0x1b0
[   93.744890] lr : debug_print_object+0x13c/0x1b0
[   93.749555] sp : ffffffacf5bc7940
[   93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000
[   93.758448] x27: ffffffacdb11a800 x26: dfffffd000000000
[   93.763916] x25: ffffffd0734f856c x24: dfffffd000000000
[   93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0
[   93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0
[   93.780338] x19: ffffffd075199100 x18: 00000000000276e0
[   93.785814] x17: 0000000000000000 x16: dfffffd000000000
[   93.791291] x15: ffffffffffffffff x14: 6e6968207473696c
[   93.796768] x13: 0000000000000000 x12: ffffffd075e2b000
[   93.802244] x11: 0000000000000001 x10: 0000000000000000
[   93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900
[   93.813200] x7 : 0000000000000000 x6 : 0000000000000000
[   93.818676] x5 : 0000000000000080 x4 : 0000000000000000
[   93.824152] x3 : ffffffd0732a0fa4 x2 : 0000000000000001
[   93.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061
[   93.835104] Call trace:
[   93.837644]  debug_print_object+0x13c/0x1b0
[   93.841963]  __debug_check_no_obj_freed+0x25c/0x3c0
[   93.846987]  debug_check_no_obj_freed+0x18/0x20
[   93.851669]  slab_free_freelist_hook+0xbc/0x1e4
[   93.856346]  kfree+0xfc/0x2f4
[   93.859416]  rpmsg_ctrldev_release_device+0x78/0xb8
[   93.864445]  device_release+0x84/0x168
[   93.868310]  kobject_cleanup+0x12c/0x298
[   93.872356]  kobject_delayed_cleanup+0x10/0x18
[   93.876948]  process_one_work+0x578/0x92c
[   93.881086]  worker_thread+0x804/0xcf8
[   93.884963]  kthread+0x2a8/0x314
[   93.888303]  ret_from_fork+0x10/0x18

The cdev_device_add/del() API was created to address this issue (see
commit '233ed09d7fda ("chardev: add helper function to register char
devs with a struct device")'), use it instead of cdev add/del().

The Linux kernel CVE team has assigned CVE-2022-48759 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.11 with commit c0cdc19f84a4712cf74888f83af286e3c2e14efd and fixed in 4.14.265 with commit 74d85e9fbc7022a4011102c7474a9c7aeb704a35
	Issue introduced in 4.11 with commit c0cdc19f84a4712cf74888f83af286e3c2e14efd and fixed in 4.19.228 with commit 70cb4295ec806b663665e1d2ed15caab6159880e
	Issue introduced in 4.11 with commit c0cdc19f84a4712cf74888f83af286e3c2e14efd and fixed in 5.4.176 with commit da27b834c1e0222e149e06caddf7718478086d1b
	Issue introduced in 4.11 with commit c0cdc19f84a4712cf74888f83af286e3c2e14efd and fixed in 5.10.96 with commit 1dbb206730f3e5ce90014ad569ddf8167ec4124a
	Issue introduced in 4.11 with commit c0cdc19f84a4712cf74888f83af286e3c2e14efd and fixed in 5.15.19 with commit 85aba11a8ea92a8eef2de95ebbe063086fd62d9c
	Issue introduced in 4.11 with commit c0cdc19f84a4712cf74888f83af286e3c2e14efd and fixed in 5.16.5 with commit d6cdc6ae542845d4d0ac8b6d99362bde7042a3c7
	Issue introduced in 4.11 with commit c0cdc19f84a4712cf74888f83af286e3c2e14efd and fixed in 5.17 with commit b7fb2dad571d1e21173c06cef0bced77b323990a

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48759
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/rpmsg/rpmsg_char.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/74d85e9fbc7022a4011102c7474a9c7aeb704a35
	https://git.kernel.org/stable/c/70cb4295ec806b663665e1d2ed15caab6159880e
	https://git.kernel.org/stable/c/da27b834c1e0222e149e06caddf7718478086d1b
	https://git.kernel.org/stable/c/1dbb206730f3e5ce90014ad569ddf8167ec4124a
	https://git.kernel.org/stable/c/85aba11a8ea92a8eef2de95ebbe063086fd62d9c
	https://git.kernel.org/stable/c/d6cdc6ae542845d4d0ac8b6d99362bde7042a3c7
	https://git.kernel.org/stable/c/b7fb2dad571d1e21173c06cef0bced77b323990a