Hi Yang,
On Tue, Nov 17, 2020 at 09:27:51PM +0800, Yang Yingliang wrote:
>
> After sunkbd->tq is added to workqueue, before scheduled work finish, sunkbd
> is
> freed by sunkbd_disconnect(), when sunkbd is used in sunkbd_reinit(), it
> causes
> a UAF. Fix this by calling flush_scheduled_work()
According the PoC in link:
https://www.openwall.com/lists/oss-security/2020/11/05/2
Here is UAF log:
[ 235.504246]
==
[ 235.508297] BUG: KASAN: use-after-free in __lock_acquire+0x2c75/0x34e0
[ 235.511906] Read of size 8 at addr ff
2 matches
Mail list logo