Bug 2216007

Summary: CVE-2023-3327 kernel: saa7134: race condition leading to use-after-free in saa7134_finidev()
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, bhu, carnil, chwhite, crwood, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, ldoskova, lgoncalv, lleshchi, lzampier, nmurray, ptalbert, qzhao, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, security-response-team, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote, ymankad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 6.4-rc1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-20 07:56:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2186214    

Description Mauro Matteo Cascella 2023-06-19 16:50:36 UTC 
A race condition was found in the Philips SAA7134 driver in the Linux kernel. In saa7134_initdev, &dev->video_q.timeout is eventually bound to saa7134_buffer_timeout. If we remove the module or device which will call saa7134_finidev to cleanup, there may be unfinished work. This could lead to a use-after-free issue.

Upstream patch & commit:
https://lore.kernel.org/lkml/20230318085023.832510-1-zyytlz.wz@163.com/t/
https://github.com/torvalds/linux/commit/30cf57da176cca80f11df0d9b7f71581fe601389
Comment 2 Mauro Matteo Cascella 2023-06-20 07:56:10 UTC 

*** This bug has been marked as a duplicate of bug 2215835 ***
Comment 3 Salvatore Bonaccorso 2023-06-21 06:10:27 UTC 
Which one of the CVEs will be rejected?
Comment 4 Salvatore Bonaccorso 2023-06-21 06:12:06 UTC 
I would suggest to reject CVE-2023-3327 which was not yet published, but CVE-2023-35823 is.
Comment 5 Mauro Matteo Cascella 2023-06-21 16:38:24 UTC 
Yup, CVE-2023-3327 (this bug) was rejected. I also sent a formal request to MITRE via https://cveform.mitre.org.
Comment 6 Salvatore Bonaccorso 2023-06-22 06:35:08 UTC 
Hi Mauro

(In reply to Mauro Matteo Cascella from comment #5)
> Yup, CVE-2023-3327 (this bug) was rejected. I also sent a formal request to
> MITRE via https://cveform.mitre.org.

Thanks for the confirmation! Can you as well drop the Bugzilla Alias 
CVE reference (or update it to CVE-2023-35823 in this bug)?
Comment 7 Mauro Matteo Cascella 2023-06-22 07:25:28 UTC 
(In reply to Salvatore Bonaccorso from comment #6)
> Thanks for the confirmation! Can you as well drop the Bugzilla Alias 
> CVE reference (or update it to CVE-2023-35823 in this bug)?

Dropping the BZ alias would make the rejected CVE less easy to find, I guess. Not a big deal though, this chat will serve as a good reference in case someone is interested. Done!