7.8

CVE-2022-50256

drm/meson: remove drm bridges at aggregate driver unbind time

In the Linux kernel, the following vulnerability has been resolved:

drm/meson: remove drm bridges at aggregate driver unbind time

drm bridges added by meson_encoder_hdmi_init and meson_encoder_cvbs_init
were not manually removed at module unload time, which caused dangling
references to freed memory to remain linked in the global bridge_list.

When loading the driver modules back in, the same functions would again
call drm_bridge_add, and when traversing the global bridge_list, would
end up peeking into freed memory.

Once again KASAN revealed the problem:

[  +0.000095] =============================================================
[  +0.000008] BUG: KASAN: use-after-free in __list_add_valid+0x9c/0x120
[  +0.000018] Read of size 8 at addr ffff00003da291f0 by task modprobe/2483

[  +0.000018] CPU: 3 PID: 2483 Comm: modprobe Tainted: G         C O      5.19.0-rc6-lrmbkasan+ #1
[  +0.000011] Hardware name: Hardkernel ODROID-N2Plus (DT)
[  +0.000008] Call trace:
[  +0.000006]  dump_backtrace+0x1ec/0x280
[  +0.000012]  show_stack+0x24/0x80
[  +0.000008]  dump_stack_lvl+0x98/0xd4
[  +0.000011]  print_address_description.constprop.0+0x80/0x520
[  +0.000011]  print_report+0x128/0x260
[  +0.000008]  kasan_report+0xb8/0xfc
[  +0.000008]  __asan_report_load8_noabort+0x3c/0x50
[  +0.000009]  __list_add_valid+0x9c/0x120
[  +0.000009]  drm_bridge_add+0x6c/0x104 [drm]
[  +0.000165]  dw_hdmi_probe+0x1900/0x2360 [dw_hdmi]
[  +0.000022]  meson_dw_hdmi_bind+0x520/0x814 [meson_dw_hdmi]
[  +0.000014]  component_bind+0x174/0x520
[  +0.000012]  component_bind_all+0x1a8/0x38c
[  +0.000010]  meson_drv_bind_master+0x5e8/0xb74 [meson_drm]
[  +0.000032]  meson_drv_bind+0x20/0x2c [meson_drm]
[  +0.000027]  try_to_bring_up_aggregate_device+0x19c/0x390
[  +0.000010]  component_master_add_with_match+0x1c8/0x284
[  +0.000009]  meson_drv_probe+0x274/0x280 [meson_drm]
[  +0.000026]  platform_probe+0xd0/0x220
[  +0.000009]  really_probe+0x3ac/0xa80
[  +0.000009]  __driver_probe_device+0x1f8/0x400
[  +0.000009]  driver_probe_device+0x68/0x1b0
[  +0.000009]  __driver_attach+0x20c/0x480
[  +0.000008]  bus_for_each_dev+0x114/0x1b0
[  +0.000009]  driver_attach+0x48/0x64
[  +0.000008]  bus_add_driver+0x390/0x564
[  +0.000009]  driver_register+0x1a8/0x3e4
[  +0.000009]  __platform_driver_register+0x6c/0x94
[  +0.000008]  meson_drm_platform_driver_init+0x3c/0x1000 [meson_drm]
[  +0.000027]  do_one_initcall+0xc4/0x2b0
[  +0.000011]  do_init_module+0x154/0x570
[  +0.000011]  load_module+0x1a78/0x1ea4
[  +0.000008]  __do_sys_init_module+0x184/0x1cc
[  +0.000009]  __arm64_sys_init_module+0x78/0xb0
[  +0.000009]  invoke_syscall+0x74/0x260
[  +0.000009]  el0_svc_common.constprop.0+0xcc/0x260
[  +0.000008]  do_el0_svc+0x50/0x70
[  +0.000007]  el0_svc+0x68/0x1a0
[  +0.000012]  el0t_64_sync_handler+0x11c/0x150
[  +0.000008]  el0t_64_sync+0x18c/0x190

[  +0.000016] Allocated by task 879:
[  +0.000008]  kasan_save_stack+0x2c/0x5c
[  +0.000011]  __kasan_kmalloc+0x90/0xd0
[  +0.000007]  __kmalloc+0x278/0x4a0
[  +0.000011]  mpi_resize+0x13c/0x1d0
[  +0.000011]  mpi_powm+0xd24/0x1570
[  +0.000009]  rsa_enc+0x1a4/0x30c
[  +0.000009]  pkcs1pad_verify+0x3f0/0x580
[  +0.000009]  public_key_verify_signature+0x7a8/0xba4
[  +0.000010]  public_key_verify_signature_2+0x40/0x60
[  +0.000008]  verify_signature+0xb4/0x114
[  +0.000008]  pkcs7_validate_trust_one.constprop.0+0x3b8/0x574
[  +0.000009]  pkcs7_validate_trust+0xb8/0x15c
[  +0.000008]  verify_pkcs7_message_sig+0xec/0x1b0
[  +0.000012]  verify_pkcs7_signature+0x78/0xac
[  +0.000007]  mod_verify_sig+0x110/0x190
[  +0.000009]  module_sig_check+0x114/0x1e0
[  +0.000009]  load_module+0xa0/0x1ea4
[  +0.000008]  __do_sys_init_module+0x184/0x1cc
[  +0.000008]  __arm64_sys_init_module+0x78/0xb0
[  +0.000008]  invoke_syscall+0x74/0x260
[  +0.000009]  el0_svc_common.constprop.0+0x1a8/0x260
[  +0.000008]  do_el0_svc+0x50/0x70
[  +0.000007]  el0_svc+0x68/0x1a0
[  +0.000009]  el0t_64_sync_handler+0x11c/0x150
[  +0.000009]  el0t_64
---truncated---
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.10 < 5.19.17
LinuxLinux Kernel Version >= 6.0 < 6.0.3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.15% 0.043
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/de2b6ebe0cb7746b5b6b35d79e150d934392b958
Patch
https://git.kernel.org/stable/c/fc1fd114dde3d2623ac37676df3d74ffeedb0da8
Patch
https://git.kernel.org/stable/c/09847723c12fc2753749cec3939a02ee92dac468
Patch