Linux kernel through 5.3.8 Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) Vulnerability

Summary

These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free.

 

 

 

Credit:

The information has been provided by Alexander Popov

The original article can be found at:https://lore.kernel.org/lkml/20191103221719.27118-1-alex.popov@linux.com/

 


Details

An issue was discovered in drivers/media/platform/vivid in the Linux kernel through 5.3.8. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). 

 

Vulnerable Systems:

Linux kernel through 5.3.8 

 

CVE Information:

CVE-2019-18683

 

Disclosure Timeline:
Published Date:11/4/2019