Use-After-Free Vulnerabilitys in drivers/media/rc [CVE-2023-1118]
Original Post:
We discussed this vulnerability during Episode 196 on 14 March 2023
Yet another case of bad syncronization or just performing operations in the wrong order. IIn this case ene_remove
called when removing the device, will remove its internal allocations and everything before it actually unregisters the device. Meaning that there is a window of time where the pointers are free but the device is still accessible and so can lead to a use after free. It was also noticed that they did not clean up timers at all, so setting a timer then removing the device can lead to the timer triggering during the cleanup process, again leading to a use-after-free.