About CVE-2022-41849 : smscufx driver – Fix use-after-free in ufx_ops_open() (2nd Oct 2022)

Preface: Do I need to install drivers in Linux? That’s the vision of Linux — the drivers are open-source and integrated into the kernel and other pieces of software. You don’t have to install them or tweak them — the system automatically detects your hardware and uses the appropriate drivers. If you’ve installed Linux, your hardware should just work.

Background: The smscufx[.]c is a Framebuffer driver for SMSC UFX USB controller.The Kernel drivers are present in the Kernel from a long time.
A lot of USB-display output adapters uses DisplayLink chipsets. There are Linux drivers for older USB2 chipsets but no support for USB3 chipsets SMSC adapters are less popular or explicitly marked that they use SMSC chipset.
To configure for 16 bit mode, locate DEFAULT_BPP in smscufx[.]h and set it to 2. And use xorg[.]conf[.]16bit as your xorg[.]conf file. Your start up screen will be green. To configure for 32 bit mode, locate DEFAULT_BPP in smscufx[.]h and set it to 4.And use xorg[.]conf[.]32bit as your xorg[.]cong file.Your start up screen will be white.

Vulnerability details: The smscufx[.]c driver in Linux kernel has a race condition and resultant use-after-free design weakness. if a physically proximate attacker removes a USB device while calling open(), aka a race condition between ufx_ops_open and ufx_usb_disconnect occurs.
Use After Free specifically refers to the attempt to access memory after it has been freed, which can cause a program to crash or, in the case of a Use-After-Free flaw, can potentially result in the execution of arbitrary code or even enable full remote code execution capabilities.
But such design weakness includes a local physical action to trigger the vulnerability. Perhaps the risk rating will be step down since it will become a local attack. There are unknown matter since Gembird USB3 to HDMI adapter is one of SMSC based and with attached X.org drivers it works with Ubuntu 10.04 LTS. Whether it will be impacted of this design weakness. This is unconfirmed in the moment.

Remedy: Add a mutex to the ufx_ops_open() and ufx_usb_disconnect() functions to avoid race condition of krefs.

Official announcement – Please refer to the link for details – https://lore.kernel.org/all/20220925133243.GA383897@ubuntu/T/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.