[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2BC065D799E6D23B+6fef9b03.c268.191e720da5e.Coremail.kxwang23@m.fudan.edu.cn>
Date: Fri, 13 Sep 2024 00:46:15 +0800 (CST)
From: "Kaixin Wang" <kxwang23@...udan.edu.cn>
To: "Przemek Kitszel" <przemyslaw.kitszel@...el.com>
Cc: wtdeng24@...udan.edu.cn, 21210240012@...udan.edu.cn, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, edumazet@...gle.com, kuba@...nel.org,
davem@...emloft.net
Subject: Re: [PATCH] net: seeq: Fix use after free vulnerability in ether3
Driver Due to Race Condition
At 2024-09-11 17:29:44, "Przemek Kitszel" <przemyslaw.kitszel@...el.com> wrote:
>On 9/9/24 19:58, Kaixin Wang wrote:
>> In the ether3_probe function, a timer is initialized with a callback
>> function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is
>> started, there is a risk of a race condition if the module or device
>> is removed, triggering the ether3_remove function to perform cleanup.
>> The sequence of operations that may lead to a UAF bug is as follows:
>>
>> CPU0 CPU1
>>
>> | ether3_ledoff
>> ether3_remove |
>> free_netdev(dev); |
>> put_devic |
>> kfree(dev); |
>> | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);
>> | // use dev
>>
>> Fix it by ensuring that the timer is canceled before proceeding with
>> the cleanup in ether3_remove.
>
>this code change indeed prevents UAF bug
>but as is, the CFG2_CTRLO flag of REG_CONFIG2 will be left in state "ON"
>
>it would be better to first turn the LED off unconditionally
>
I will fix it in the next version of patch.
>>
>> Signed-off-by: Kaixin Wang <kxwang23@...udan.edu.cn>
>> ---
>> drivers/net/ethernet/seeq/ether3.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/drivers/net/ethernet/seeq/ether3.c b/drivers/net/ethernet/seeq/ether3.c
>> index c672f92d65e9..f9d27c9d6808 100644
>> --- a/drivers/net/ethernet/seeq/ether3.c
>> +++ b/drivers/net/ethernet/seeq/ether3.c
>> @@ -850,6 +850,7 @@ static void ether3_remove(struct expansion_card *ec)
>> ecard_set_drvdata(ec, NULL);
>>
>> unregister_netdev(dev);
>> + del_timer_sync(&priv(dev)->timer);
>> free_netdev(dev);
>> ecard_release_resources(ec);
>> }
>
>
Thanks for the review!
Best regards,
Kaixin Wang
Powered by blists - more mailing lists