Bug 2216007 - CVE-2023-3327 kernel: saa7134: race condition leading to use-after-free in saa7134_finidev()
Summary: CVE-2023-3327 kernel: saa7134: race condition leading to use-after-free in sa...
Keywords:
Status: CLOSED DUPLICATE of bug 2215835
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2186214
TreeView+ depends on / blocked
 
Reported: 2023-06-19 16:50 UTC by Mauro Matteo Cascella
Modified: 2023-06-22 07:25 UTC (History)
47 users (show)

Fixed In Version: kernel 6.4-rc1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-06-20 07:56:10 UTC
Embargoed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2023-06-19 16:50:36 UTC
A race condition was found in the Philips SAA7134 driver in the Linux kernel. In saa7134_initdev, &dev->video_q.timeout is eventually bound to saa7134_buffer_timeout. If we remove the module or device which will call saa7134_finidev to cleanup, there may be unfinished work. This could lead to a use-after-free issue.

Upstream patch & commit:
https://lore.kernel.org/lkml/20230318085023.832510-1-zyytlz.wz@163.com/t/
https://github.com/torvalds/linux/commit/30cf57da176cca80f11df0d9b7f71581fe601389

Comment 2 Mauro Matteo Cascella 2023-06-20 07:56:10 UTC

*** This bug has been marked as a duplicate of bug 2215835 ***

Comment 3 Salvatore Bonaccorso 2023-06-21 06:10:27 UTC
Which one of the CVEs will be rejected?

Comment 4 Salvatore Bonaccorso 2023-06-21 06:12:06 UTC
I would suggest to reject CVE-2023-3327 which was not yet published, but CVE-2023-35823 is.

Comment 5 Mauro Matteo Cascella 2023-06-21 16:38:24 UTC
Yup, CVE-2023-3327 (this bug) was rejected. I also sent a formal request to MITRE via https://cveform.mitre.org.

Comment 6 Salvatore Bonaccorso 2023-06-22 06:35:08 UTC
Hi Mauro

(In reply to Mauro Matteo Cascella from comment #5)
> Yup, CVE-2023-3327 (this bug) was rejected. I also sent a formal request to
> MITRE via https://cveform.mitre.org.

Thanks for the confirmation! Can you as well drop the Bugzilla Alias 
CVE reference (or update it to CVE-2023-35823 in this bug)?

Comment 7 Mauro Matteo Cascella 2023-06-22 07:25:28 UTC
(In reply to Salvatore Bonaccorso from comment #6)
> Thanks for the confirmation! Can you as well drop the Bugzilla Alias 
> CVE reference (or update it to CVE-2023-35823 in this bug)?

Dropping the BZ alias would make the rejected CVE less easy to find, I guess. Not a big deal though, this chat will serve as a good reference in case someone is interested. Done!


Note You need to log in before you can comment on or make changes to this bug.