Re: Ubuntu RT2X00 WIFI USB Driver Kernel NULL pointer Dereference&Use-After-Free Vulnerability

From: Greg KH
Date: Mon Aug 05 2024 - 02:55:26 EST

Next message: kernel test robot: "Re: [PATCH 7/7] drm/i915/pmu: Do not set event_init to NULL"
Previous message: syzbot: "[syzbot] [io-uring?] KCSAN: data-race in __flush_work / __flush_work (2)"
In reply to: LidongLI: "Re: Ubuntu RT2X00 WIFI USB Driver Kernel NULL pointer Dereference&Use-After-Free Vulnerability"
Next in thread: LidongLI: "Re: Ubuntu RT2X00 WIFI USB Driver Kernel NULL pointer Dereference&Use-After-Free Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Aug 05, 2024 at 10:20:30AM +0800, LidongLI wrote:
> Hi Greg,
>
> We tried it, and after configuring the udev rules, I can run the proof of concept (PoC) and reproduce the previous issue without using sudo
>

What did you do exactly with a new udev rule? Did you give it userspace
permission to unbind/reset the device?

As it is today, this requires root permissions and it looks to just be a
race with the existing kernel driver setting the device up and userspace
trying to reset the device at the same time, not anything that can
normally happen in a system from what I can tell.

thanks,

greg k-h

Next message: kernel test robot: "Re: [PATCH 7/7] drm/i915/pmu: Do not set event_init to NULL"
Previous message: syzbot: "[syzbot] [io-uring?] KCSAN: data-race in __flush_work / __flush_work (2)"
In reply to: LidongLI: "Re: Ubuntu RT2X00 WIFI USB Driver Kernel NULL pointer Dereference&Use-After-Free Vulnerability"
Next in thread: LidongLI: "Re: Ubuntu RT2X00 WIFI USB Driver Kernel NULL pointer Dereference&Use-After-Free Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]