| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <18291779771.584fa6ab156295.3990923778713440655@siddh.me>
Date: Fri, 12 Aug 2022 15:21:50 +0530
From: Siddh Raman Pant <code@...dh.me>
To: "Johannes Berg" <johannes@...solutions.net>,
"David S. Miller" <davem@...emloft.net>,
"Eric Dumazet" <edumazet@...gle.com>,
"Jakub Kicinski" <kuba@...nel.org>,
"Paolo Abeni" <pabeni@...hat.com>
Cc: "linux-wireless" <linux-wireless@...r.kernel.org>,
"netdev" <netdev@...r.kernel.org>,
"linux-kernel-mentees"
<linux-kernel-mentees@...ts.linuxfoundation.org>,
"syzbot+f9acff9bf08a845f225d"
<syzbot+f9acff9bf08a845f225d@...kaller.appspotmail.com>,
"syzbot+6cb476b7c69916a0caca"
<syzbot+6cb476b7c69916a0caca@...kaller.appspotmail.com>,
"syzbot+9250865a55539d384347"
<syzbot+9250865a55539d384347@...kaller.appspotmail.com>,
"linux-kernel" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2] wifi: cfg80211: Fix UAF in ieee80211_scan_rx()
On Tue, 26 Jul 2022 18:09:21 +0530 Siddh Raman Pant wrote:
> ieee80211_scan_rx() tries to access scan_req->flags after a null check
> (see line 303 of mac80211/scan.c), but ___cfg80211_scan_done() uses
> kfree() on the scan_req (see line 991 of wireless/scan.c).
>
> This results in a UAF.
>
> ieee80211_scan_rx() is called inside a RCU read-critical section
> initiated by ieee80211_rx_napi() (see line 5044 of mac80211/rx.c).
>
> Thus, add an rcu_head to the scan_req struct, so that we can use
> kfree_rcu() instead of kfree() and thus not free during the critical
> section.
>
> We can clear the pointer before freeing here, since scan_req is
> accessed using rcu_dereference().
>
> Bug report (3): https://syzkaller.appspot.com/bug?extid=f9acff9bf08a845f225d
> Reported-by: syzbot+f9acff9bf08a845f225d@...kaller.appspotmail.com
> Reported-by: syzbot+6cb476b7c69916a0caca@...kaller.appspotmail.com
> Reported-by: syzbot+9250865a55539d384347@...kaller.appspotmail.com
>
> Signed-off-by: Siddh Raman Pant code@...dh.me>
> ---
> Changes since v1 as requested:
> - Fixed commit heading and better commit message.
> - Clear pointer before freeing.
>
> include/net/cfg80211.h | 2 ++
> net/wireless/scan.c | 2 +-
> 2 files changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
> index 80f41446b1f0..7e0b448c4cdb 100644
> --- a/include/net/cfg80211.h
> +++ b/include/net/cfg80211.h
> @@ -2368,6 +2368,7 @@ struct cfg80211_scan_6ghz_params {
> * @n_6ghz_params: number of 6 GHz params
> * @scan_6ghz_params: 6 GHz params
> * @bssid: BSSID to scan for (most commonly, the wildcard BSSID)
> + * @rcu_head: (internal) RCU head to use for freeing
> */
> struct cfg80211_scan_request {
> struct cfg80211_ssid *ssids;
> @@ -2397,6 +2398,7 @@ struct cfg80211_scan_request {
> bool scan_6ghz;
> u32 n_6ghz_params;
> struct cfg80211_scan_6ghz_params *scan_6ghz_params;
> + struct rcu_head rcu_head;
>
> /* keep last */
> struct ieee80211_channel *channels[];
> diff --git a/net/wireless/scan.c b/net/wireless/scan.c
> index 6d82bd9eaf8c..6cf58fe6dea0 100644
> --- a/net/wireless/scan.c
> +++ b/net/wireless/scan.c
> @@ -988,8 +988,8 @@ void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev,
> kfree(rdev->int_scan_req);
> rdev->int_scan_req = NULL;
>
> - kfree(rdev->scan_req);
> rdev->scan_req = NULL;
> + kfree_rcu(rdev_req, rcu_head);
>
> if (!send_message)
> rdev->scan_msg = msg;
> --
> 2.35.1
>
Hello,
Probably the above quoted patch was missed, which can be found on
https://lore.kernel.org/linux-wireless/20220726123921.29664-1-code@siddh.me/
This patch was posted more than 2 weeks ago, with changes as requested.
With the merge window almost ending, may I request for another look at
this patch?
Thanks,
Siddh
Powered by blists - more mailing lists