public-mirrors/linux
1
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-08-05 16:54:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/drivers/net
History
Duoming Zhou efe4186e6a drivers: hamradio: 6pack: fix UAF bug caused by mod_timer() 
When a 6pack device is detaching, the sixpack_close() will act to cleanup
necessary resources. Although del_timer_sync() in sixpack_close()
won't return if there is an active timer, one could use mod_timer() in
sp_xmit_on_air() to wake up timer again by calling userspace syscall such
as ax25_sendmsg(), ax25_connect() and ax25_ioctl().

This unexpected waked handler, sp_xmit_on_air(), realizes nothing about
the undergoing cleanup and may still call pty_write() to use driver layer
resources that have already been released.

One of the possible race conditions is shown below:

      (USE)                      |      (FREE)
ax25_sendmsg()                   |
 ax25_queue_xmit()               |
  ...                            |
  sp_xmit()                      |
   sp_encaps()                   | sixpack_close()
    sp_xmit_on_air()             |  del_timer_sync(&sp->tx_t)
     mod_timer(&sp->tx_t,...)    |  ...
                                 |  unregister_netdev()
                                 |  ...
     (wait a while)              | tty_release()
                                 |  tty_release_struct()
                                 |   release_tty()
    sp_xmit_on_air()             |    tty_kref_put(tty_struct) //FREE
     pty_write(tty_struct) //USE |    ...

The corresponding fail log is shown below:
===============================================================
BUG: KASAN: use-after-free in __run_timers.part.0+0x170/0x470
Write of size 8 at addr ffff88800a652ab8 by task swapper/2/0
...
Call Trace:
  ...
  queue_work_on+0x3f/0x50
  pty_write+0xcd/0xe0pty_write+0xcd/0xe0
  sp_xmit_on_air+0xb2/0x1f0
  call_timer_fn+0x28/0x150
  __run_timers.part.0+0x3c2/0x470
  run_timer_softirq+0x3b/0x80
  __do_softirq+0xf1/0x380
  ...

This patch reorders the del_timer_sync() after the unregister_netdev()
to avoid UAF bugs. Because the unregister_netdev() is well synchronized,
it flushs out any pending queues, waits the refcount of net_device
decreases to zero and removes net_device from kernel. There is not any
running routines after executing unregister_netdev(). Therefore, we could
not arouse timer from userspace again.

Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Reviewed-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
2022-02-18 10:58:17 +00:00
..
appletalk
arcnet
bonding bonding: force carrier update when releasing slave 2022-02-17 10:55:21 -08:00
caif virtio: wrap config->reset calls 2022-01-14 18:50:52 -05:00
can can: flexcan: mark RX via mailboxes as supported on MCF5441X 2022-01-24 18:27:43 +01:00
dsa net: dsa: lan9303: add VLAN IDs to master device 2022-02-17 09:32:13 -08:00
ethernet nfp: flower: netdev offload check for ip6gretap 2022-02-17 09:50:45 -08:00
fddi
fjes
hamradio drivers: hamradio: 6pack: fix UAF bug caused by mod_timer() 2022-02-18 10:58:17 +00:00
hippi
hyperv hyperv-next for 5.17 2022-01-16 15:53:00 +02:00
ieee802154 net: ieee802154: ca8210: Fix lifs/sifs periods 2022-02-02 18:04:50 +01:00
ipa net: ipa: request IPA register values be retained 2022-02-03 08:03:43 -08:00
ipvlan
mctp mctp: serial: Cancel pending work from ndo_uninit handler 2022-02-11 14:39:54 -08:00
mdio net: mdio: aspeed: Add missing MODULE_DEVICE_TABLE 2022-02-09 12:15:21 +00:00
netdevsim ipv6: fix data-race in fib6_info_hw_flags_set / fib6_purge_rt 2022-02-17 09:48:24 -08:00
pcs
phy net: phy: mediatek: remove PHY mode check on MT7531 2022-02-15 14:21:01 +00:00
plip
ppp TTY/Serial driver updates for 5.17-rc1 2022-01-12 11:21:52 -08:00
slip
team
usb Networking fixes for 5.17-rc5, including fixes from wireless and 2022-02-17 11:33:59 -08:00
vmxnet3 vmxnet3: Remove useless DMA-32 fallback configuration 2022-01-09 16:52:19 -08:00
wan
wireguard lib/crypto: blake2s: move hmac construction into wireguard 2022-01-18 13:03:55 +01:00
wireless iwlwifi: fix use-after-free 2022-02-10 10:16:27 +02:00
wwan net: wwan: Fix MRU mismatch issue which may lead to data connection lost 2022-01-15 22:40:52 +00:00
xen-netback
amt.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-01-09 17:00:17 -08:00
bareudp.c
dummy.c
eql.c
geneve.c
gtp.c
ifb.c
Kconfig
LICENSE.SRC
loopback.c
macsec.c net: macsec: Verify that send_sci is on when setting Tx sci explicitly 2022-02-01 20:32:20 -08:00
macvlan.c
macvtap.c
Makefile
mdio.c
mhi_net.c
mii.c
net_failover.c
netconsole.c
nlmon.c
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tap.c
thunderbolt.c
tun.c
veth.c veth: fix races around rq->rx_notify_masked 2022-02-09 12:04:53 +00:00
virtio_net.c bitmap patches for 5.17-rc1 2022-01-23 06:20:44 +02:00
vrf.c
vsockmon.c
vxlan.c
xen-netfront.c