AZL-70765

In the Linux kernel, the following vulnerability has been resolved:

drm/meson: remove drm bridges at aggregate driver unbind time

drm bridges added by mesonencoderhdmiinit and mesonencodercvbsinit were not manually removed at module unload time, which caused dangling references to freed memory to remain linked in the global bridge_list.

When loading the driver modules back in, the same functions would again call drmbridgeadd, and when traversing the global bridge_list, would end up peeking into freed memory.

Once again KASAN revealed the problem:

[ +0.000095] ============================================================= [ +0.000008] BUG: KASAN: use-after-free in __listaddvalid+0x9c/0x120 [ +0.000018] Read of size 8 at addr ffff00003da291f0 by task modprobe/2483

[ +0.000018] CPU: 3 PID: 2483 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1 [ +0.000011] Hardware name: Hardkernel ODROID-N2Plus (DT) [ +0.000008] Call trace: [ +0.000006] dumpbacktrace+0x1ec/0x280 [ +0.000012] showstack+0x24/0x80 [ +0.000008] dumpstacklvl+0x98/0xd4 [ +0.000011] printaddressdescription.constprop.0+0x80/0x520 [ +0.000011] printreport+0x128/0x260 [ +0.000008] kasanreport+0xb8/0xfc [ +0.000008] __asanreportload8_noabort+0x3c/0x50 [ +0.000009] __listaddvalid+0x9c/0x120 [ +0.000009] drmbridgeadd+0x6c/0x104 [drm] [ +0.000165] dwhdmiprobe+0x1900/0x2360 [dwhdmi] [ +0.000022] mesondwhdmibind+0x520/0x814 [mesondwhdmi] [ +0.000014] componentbind+0x174/0x520 [ +0.000012] componentbindall+0x1a8/0x38c [ +0.000010] mesondrvbindmaster+0x5e8/0xb74 [mesondrm] [ +0.000032] mesondrvbind+0x20/0x2c [mesondrm] [ +0.000027] trytobringupaggregatedevice+0x19c/0x390 [ +0.000010] componentmasteraddwithmatch+0x1c8/0x284 [ +0.000009] mesondrvprobe+0x274/0x280 [mesondrm] [ +0.000026] platformprobe+0xd0/0x220 [ +0.000009] reallyprobe+0x3ac/0xa80 [ +0.000009] __driverprobedevice+0x1f8/0x400 [ +0.000009] driverprobedevice+0x68/0x1b0 [ +0.000009] __driverattach+0x20c/0x480 [ +0.000008] busforeachdev+0x114/0x1b0 [ +0.000009] driverattach+0x48/0x64 [ +0.000008] busadddriver+0x390/0x564 [ +0.000009] driverregister+0x1a8/0x3e4 [ +0.000009] __platformdriverregister+0x6c/0x94 [ +0.000008] mesondrmplatformdriverinit+0x3c/0x1000 [mesondrm] [ +0.000027] dooneinitcall+0xc4/0x2b0 [ +0.000011] doinitmodule+0x154/0x570 [ +0.000011] loadmodule+0x1a78/0x1ea4 [ +0.000008] __dosysinit_module+0x184/0x1cc [ +0.000009] __arm64sysinitmodule+0x78/0xb0 [ +0.000009] invokesyscall+0x74/0x260 [ +0.000009] el0svccommon.constprop.0+0xcc/0x260 [ +0.000008] doel0svc+0x50/0x70 [ +0.000007] el0svc+0x68/0x1a0 [ +0.000012] el0t64synchandler+0x11c/0x150 [ +0.000008] el0t64sync+0x18c/0x190

[ +0.000016] Allocated by task 879: [ +0.000008] kasansavestack+0x2c/0x5c [ +0.000011] __kasan_kmalloc+0x90/0xd0 [ +0.000007] __kmalloc+0x278/0x4a0 [ +0.000011] mpiresize+0x13c/0x1d0 [ +0.000011] mpipowm+0xd24/0x1570 [ +0.000009] rsaenc+0x1a4/0x30c [ +0.000009] pkcs1padverify+0x3f0/0x580 [ +0.000009] public_keyverifysignature+0x7a8/0xba4 [ +0.000010] publickeyverifysignature2+0x40/0x60 [ +0.000008] verifysignature+0xb4/0x114 [ +0.000008] pkcs7validatetrustone.constprop.0+0x3b8/0x574 [ +0.000009] pkcs7validatetrust+0xb8/0x15c [ +0.000008] verifypkcs7messagesig+0xec/0x1b0 [ +0.000012] verifypkcs7signature+0x78/0xac [ +0.000007] modverifysig+0x110/0x190 [ +0.000009] modulesigcheck+0x114/0x1e0 [ +0.000009] loadmodule+0xa0/0x1ea4 [ +0.000008] __dosysinit_module+0x184/0x1cc [ +0.000008] _arm64sysinitmodule+0x78/0xb0 [ +0.000008] invokesyscall+0x74/0x260 [ +0.000009] el0svccommon.constprop.0+0x1a8/0x260 [ +0.000008] doel0svc+0x50/0x70 [ +0.000007] el0svc+0x68/0x1a0 [ +0.000009] el0t64synchandler+0x11c/0x150 [ +0.000009] el0t64 ---truncated---