In the Linux kernel, the following vulnerability has been resolved: misc/libmasm/module: Fix two use after free in ibmasm_init_one In ibmasm_init_one, it calls ibmasm_init_remote_input_dev(). Inside ibmasm_init_remote_input_dev, mouse_dev and keybd_dev are allocated by input_allocate_device(), and assigned to sp->remote.mouse_dev and sp->remote.keybd_dev respectively. In the err_free_devices error branch of ibmasm_init_one, mouse_dev and keybd_dev are freed by input_free_device(), and return error. Then the execution runs into error_send_message error branch of ibmasm_init_one, where ibmasm_free_remote_input_dev(sp) is called to unregister the freed sp->remote.mouse_dev and sp->remote.keybd_dev. My patch add a “error_init_remote” label to handle the error of ibmasm_init_remote_input_dev(), to avoid the uaf bugs.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | linux | < 5.14.6-1 | linux_5.14.6-1_all.deb |
Debian | 11 | all | linux | < 5.10.70-1 | linux_5.10.70-1_all.deb |
Debian | 999 | all | linux | < 5.14.6-1 | linux_5.14.6-1_all.deb |
Debian | 13 | all | linux | < 5.14.6-1 | linux_5.14.6-1_all.deb |