Bug 8150 (CVE-2024-24861) - [media] xc4000的xc4000_get_frequency函数存在竞争条件
Summary: [media] xc4000的xc4000_get_frequency函数存在竞争条件
Status: IN_PROGRESS
Alias: CVE-2024-24861
Product: ANCK 5.10 Dev
Classification: ANCK
Component: drivers (show other bugs) drivers
Version: 5.10.y-16
Hardware: All Linux
: P3-Medium S3-normal
Target Milestone: ---
Assignee: GuixinLiu
QA Contact: shuming
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-02-01 17:19 UTC by Shiloong
Modified: 2024-03-21 09:54 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Shiloong admin 2024-02-01 17:19:10 UTC 
上报人信息:
  - 白家驹 <baijiaju@buaa.edu.cn>
  - 北京航空航天大学网络空间安全学院

成因:
在xc4000_get_frequency中,通过*freq = priv->freq_hz + priv->freq_offset读取frequency,没有持有任何锁,但在读取过程中,priv->freq_hz和priv->freq_offset可能被xc4000_set_params并发地进行更新,从而使xc4000_get_frequency读取到了中间值,priv->freq_hz和priv->freq_offset不匹配,返回错误数值甚至整数溢出。

	
危害:
xc4000_get_frequency是xc4000驱动接口dvb_tuner_ops的get_frequency项函数,选择xc4000作为tuner的media设备均会受到此漏洞的影响,读取到错误的frequency值,影响相关ioctl;在em28xx等依赖于读取的frequency设置新frequency的设备中,还会导致设置非法frequency,造成设备异常。

选择xc4000作为tuner的media相关ioctl返回错误值溢出值;根据实现的不同,会导致部分设备异常,可以用于拒绝服务攻击。

修复缓解:
   -  在xc4000_get_frequency函数中,读取priv->freq_hz和priv->freq_offset时,持有priv->lock mutex锁,阻止xc4000_set_params并发执行进行更新。

补丁已提交给Linux Kernel Media子系统维护者,补丁链接:https://patchwork.kernel.org/project/linux-media/patch/20231222055030.5237-1-2045gemini@gmail.com/  
https://lore.kernel.org/lkml/20231222055030.5237-1-2045gemini@gmail.com/