CVE-2023-54270

In the Linux kernel, the following vulnerability has been resolved:

media: usb: siano: Fix use after free bugs caused by dosubmiturb

There are UAF bugs caused by dosubmiturb(). One of the KASan reports is shown below:

[ 36.403605] BUG: KASAN: use-after-free in workerthread+0x4a2/0x890 [ 36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49 [ 36.408316] [ 36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237ad1d4-dir8 [ 36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 [ 36.416157] Workqueue: 0x0 (events) [ 36.417654] Call Trace: [ 36.418546] <TASK> [ 36.419320] dumpstacklvl+0x96/0xd0 [ 36.420522] printaddressdescription+0x75/0x350 [ 36.421992] printreport+0x11b/0x250 [ 36.423174] ? rawspinlockirqsave+0x87/0xd0 [ 36.424806] ? __virtaddrvalid+0xcf/0x170 [ 36.426069] ? worker_thread+0x4a2/0x890 [ 36.427355] kasanreport+0x131/0x160 [ 36.428556] ? workerthread+0x4a2/0x890 [ 36.430053] workerthread+0x4a2/0x890 [ 36.431297] ? workerclrflags+0x90/0x90 [ 36.432479] kthread+0x166/0x190 [ 36.433493] ? kthreadblkcg+0x50/0x50 [ 36.434669] retfromfork+0x22/0x30 [ 36.435923] </TASK> [ 36.436684] [ 36.437215] Allocated by task 24: [ 36.438289] kasansettrack+0x50/0x80 [ 36.439436] __kasankmalloc+0x89/0xa0 [ 36.440566] smsusbprobe+0x374/0xc90 [ 36.441920] usb_probeinterface+0x2d1/0x4c0 [ 36.443253] reallyprobe+0x1d5/0x580 [ 36.444539] __driverprobedevice+0xe3/0x130 [ 36.446085] driverprobedevice+0x49/0x220 [ 36.447423] __deviceattachdriver+0x19e/0x1b0 [ 36.448931] busforeach_drv+0xcb/0x110 [ 36.450217] __deviceattach+0x132/0x1f0 [ 36.451470] busprobedevice+0x59/0xf0 [ 36.452563] deviceadd+0x4ec/0x7b0 [ 36.453830] usbsetconfiguration+0xc63/0xe10 [ 36.455230] usbgenericdriverprobe+0x3b/0x80 [ 36.456166] printk: console [ttyGS0] disabled [ 36.456569] usbprobedevice+0x90/0x110 [ 36.459523] reallyprobe+0x1d5/0x580 [ 36.461027] __driverprobedevice+0xe3/0x130 [ 36.462465] driverprobedevice+0x49/0x220 [ 36.463847] __deviceattachdriver+0x19e/0x1b0 [ 36.465229] busforeach_drv+0xcb/0x110 [ 36.466466] __deviceattach+0x132/0x1f0 [ 36.467799] busprobedevice+0x59/0xf0 [ 36.469010] deviceadd+0x4ec/0x7b0 [ 36.470125] usbnewdevice+0x863/0xa00 [ 36.471374] hubevent+0x18c7/0x2220 [ 36.472746] processonework+0x34c/0x5b0 [ 36.474041] workerthread+0x4b7/0x890 [ 36.475216] kthread+0x166/0x190 [ 36.476267] retfromfork+0x22/0x30 [ 36.477447] [ 36.478160] Freed by task 24: [ 36.479239] kasansettrack+0x50/0x80 [ 36.480512] kasansavefree_info+0x2b/0x40 [ 36.481808] ____kasanslabfree+0x122/0x1a0 [ 36.483173] __kmemcachefree+0xc4/0x200 [ 36.484563] smsusbtermdevice+0xcd/0xf0 [ 36.485896] smsusbprobe+0xc85/0xc90 [ 36.486976] usbprobeinterface+0x2d1/0x4c0 [ 36.488303] reallyprobe+0x1d5/0x580 [ 36.489498] __driverprobedevice+0xe3/0x130 [ 36.491140] driverprobedevice+0x49/0x220 [ 36.492475] __deviceattachdriver+0x19e/0x1b0 [ 36.493988] bus_foreachdrv+0xcb/0x110 [ 36.495171] __deviceattach+0x132/0x1f0 [ 36.496617] busprobedevice+0x59/0xf0 [ 36.497875] deviceadd+0x4ec/0x7b0 [ 36.498972] usbsetconfiguration+0xc63/0xe10 [ 36.500264] usbgenericdriverprobe+0x3b/0x80 [ 36.501740] usbprobedevice+0x90/0x110 [ 36.503084] reallyprobe+0x1d5/0x580 [ 36.504241] __driverprobedevice+0xe3/0x130 [ 36.505548] driverprobedevice+0x49/0x220 [ 36.506766] __deviceattachdriver+0x19e/0x1b0 [ 36.508368] bus_foreachdrv+0xcb/0x110 [ 36.509646] _deviceattach+0x132/0x1f0 [ 36.510911] busprobedevice+0x59/0xf0 [ 36.512103] deviceadd+0x4ec/0x7b0 [ 36.513215] usbnewdevice+0x863/0xa00 [ 36.514736] hubevent+0x18c7/0x2220 [ 36.516130] processonework+ ---truncated---