In the Linux kernel, the following vulnerability has been resolved:
uio: Fix use-after-free in uio_open
In the core-1 uio_unregister_device(), the device_unregister will kfree idev when the idev->dev kobject ref is 1. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then:
To address this issue, we can get idev atomic & inc idev reference with minor_lock.
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Linux_kernel | Linux | 4.18.0 (excluding) | 4.19.306 (excluding) |
| Linux_kernel | Linux | 4.20.0 (including) | 5.4.268 (excluding) |
| Linux_kernel | Linux | 5.5.0 (including) | 5.10.209 (excluding) |
| Linux_kernel | Linux | 5.11.0 (including) | 5.15.148 (excluding) |
| Linux_kernel | Linux | 5.16.0 (including) | 6.1.74 (excluding) |
| Linux_kernel | Linux | 6.2.0 (including) | 6.6.13 (excluding) |
| Linux_kernel | Linux | 6.7.0 (including) | 6.7.1 (excluding) |
| Linux_kernel | Linux | 4.18 (including) | 4.18 (including) |
| Linux_kernel | Linux | 4.18-rc5 (including) | 4.18-rc5 (including) |
| Linux_kernel | Linux | 4.18-rc6 (including) | 4.18-rc6 (including) |
| Linux_kernel | Linux | 4.18-rc7 (including) | 4.18-rc7 (including) |
| Linux_kernel | Linux | 4.18-rc8 (including) | 4.18-rc8 (including) |