概要

In the Linux kernel, the following vulnerability has been resolved:class: fix use-after-free in class_register()The lock_class_key is still registered and can be found inlock_keys_hash hlist after subsys_private is freed in errorhandler path.A task who iterate over the lock_keys_hashlater may cause use-after-free.So fix that up and unregisterthe lock_class_key before kfree(cp).On our platform, a driver fails to kset_register because ofcreating duplicate filename /class/xxx .With Kasan enabled,it prints a invalid-access bug report.KASAN bug report:BUG: KASAN: invalid-access in lockdep_register_key+0x19c/0x1bcWrite of size 8 at addr 15ffff808b8c0368 by task modprobe/252Pointer tag: [15], memory tag: [fe]CPU: 7 PID: 252 Comm: modprobe Tainted: G W 6.6.0-mainline-maybe-dirty #1Call trace:dump_backtrace+0x1b0/0x1e4show_stack+0x2c/0x40dump_stack_lvl+0xac/0xe0print_report+0x18c/0x4d8kasan_report+0xe8/0x148__hwasan_store8_noabort+0x88/0x98lockdep_register_key+0x19c/0x1bcclass_register+0x94/0x1ecinit_module+0xbc/0xf48 [rfkill]do_one_initcall+0x17c/0x72cdo_init_module+0x19c/0x3f8...Memory state around the buggy address:ffffff808b8c0100: 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8affffff808b8c0200: 8a 8a 8a 8a 8a 8a 8a 8a fe fe fe fe fe fe fe fe>ffffff808b8c0300: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ^ffffff808b8c0400: 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03As CONFIG_KASAN_GENERIC is not set, Kasan reports invalid-accessnot use-after-free here.In this case, modprobe is manipulatingthe corrupted lock_keys_hash hlish where lock_class_key is alreadyfreed before.It s worth noting that this only can happen if lockdep is enabled,which is not true for normal system.

CVSS v3 指标

安全公告

影响产品