Use-after-free access in j1939_session_deactivate

12 Jul 2021


      Hi,
It looks like there are multiple use-after-free accesses in
j1939_session_deactivate()
static bool j1939_session_deactivate(struct j1939_session *session)
{
bool active;
j1939_session_list_lock(session->priv);
active = j1939_session_deactivate_locked(session); //session can be freed inside
j1939_session_list_unlock(session->priv); // It causes UAF read and write
return active;
}
session can be freed by
j1939_session_deactivate_locked->j1939_session_put->__j1939_session_release->j1939_session_destroy->kfree.
Therefore it makes the unlock function perform UAF access.
Best,
Xiaochen Zou
Department of Computer Science & Engineering
University of California, Riverside

2025

2024

2023

2022

2021

2020

2019

2018

2017

Use-after-free access in j1939_session_deactivate