In the Linux kernel, the following vulnerability has been resolved:
sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
rmmod sata_fsl.ko
command is executed in the PPC64 GNU/Linux,The triggering of the BUG is shown in the following stack:
driver_detach
device_release_driver_internal
__device_release_driver
drv->remove(dev) –> platform_drv_remove/platform_remove
drv->remove(dev) –> sata_fsl_remove
iounmap(host_priv->hcr_base); <---- unmap
kfree(host_priv); <---- free
devres_release_all
release_nodes
dr->node.release(dev, dr->data) –> ata_host_stop
ap->ops->port_stop(ap) –> sata_fsl_port_stop
ioread32(hcr_base + HCONTROL) <---- UAF
host->ops->host_stop(host)
The iounmap(host_priv->hcr_base) and kfree(host_priv) functions should
not be executed in drv->remove. These functions should be executed in
host_stop after port_stop. Therefore, we move these functions to the
new function sata_fsl_host_stop and bind the new function to host_stop.
Vendor | Product | Version | CPE |
---|---|---|---|
linux | linux_kernel | * | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
[
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/ata/sata_fsl.c"
],
"versions": [
{
"version": "faf0b2e5afe7",
"lessThan": "cdcd80292106",
"status": "affected",
"versionType": "git"
},
{
"version": "faf0b2e5afe7",
"lessThan": "91ba94d3f7af",
"status": "affected",
"versionType": "git"
},
{
"version": "faf0b2e5afe7",
"lessThan": "325ea49fc43c",
"status": "affected",
"versionType": "git"
},
{
"version": "faf0b2e5afe7",
"lessThan": "0769449b0a5e",
"status": "affected",
"versionType": "git"
},
{
"version": "faf0b2e5afe7",
"lessThan": "77393806c76b",
"status": "affected",
"versionType": "git"
},
{
"version": "faf0b2e5afe7",
"lessThan": "4a46b2f5dce0",
"status": "affected",
"versionType": "git"
},
{
"version": "faf0b2e5afe7",
"lessThan": "adf098e2a8a1",
"status": "affected",
"versionType": "git"
},
{
"version": "faf0b2e5afe7",
"lessThan": "6c8ad7e8cf29",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/ata/sata_fsl.c"
],
"versions": [
{
"version": "2.6.24",
"status": "affected"
},
{
"version": "0",
"lessThan": "2.6.24",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "4.4.294",
"lessThanOrEqual": "4.4.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "4.9.292",
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "4.14.257",
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "4.19.220",
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.4.164",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.10.84",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.15.7",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.16",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
]
git.kernel.org/stable/c/0769449b0a5eabc3545337217ae690e46673e73a
git.kernel.org/stable/c/325ea49fc43cbc03a5e1e37de8f0ca6357ced4b1
git.kernel.org/stable/c/4a46b2f5dce02539e88a300800812bd24a45e097
git.kernel.org/stable/c/6c8ad7e8cf29eb55836e7a0215f967746ab2b504
git.kernel.org/stable/c/77393806c76b6b44f1c44bd957788c8bd9152c45
git.kernel.org/stable/c/91ba94d3f7afca195b224f77a72044fbde1389ce
git.kernel.org/stable/c/adf098e2a8a1e1fc075d6a5ba2edd13cf7189082
git.kernel.org/stable/c/cdcd80292106df5cda325426e96495503e41f947