lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2BC065D799E6D23B+6fef9b03.c268.191e720da5e.Coremail.kxwang23@m.fudan.edu.cn>
Date: Fri, 13 Sep 2024 00:46:15 +0800 (CST)
From: "Kaixin Wang" <kxwang23@...udan.edu.cn>
To: "Przemek Kitszel" <przemyslaw.kitszel@...el.com>
Cc: wtdeng24@...udan.edu.cn, 21210240012@...udan.edu.cn, netdev@...r.kernel.org, 
	linux-kernel@...r.kernel.org, edumazet@...gle.com, kuba@...nel.org, 
	davem@...emloft.net
Subject: Re: [PATCH] net: seeq: Fix use after free vulnerability in ether3
 Driver Due to Race Condition


At 2024-09-11 17:29:44, "Przemek Kitszel" <przemyslaw.kitszel@...el.com> wrote:
>On 9/9/24 19:58, Kaixin Wang wrote:
>> In the ether3_probe function, a timer is initialized with a callback
>> function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is
>> started, there is a risk of a race condition if the module or device
>> is removed, triggering the ether3_remove function to perform cleanup.
>> The sequence of operations that may lead to a UAF bug is as follows:
>> 
>> CPU0                                    CPU1
>> 
>>                        |  ether3_ledoff
>> ether3_remove         |
>>    free_netdev(dev);   |
>>    put_devic           |
>>    kfree(dev);         |
>>   |  ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);
>>                        | // use dev
>> 
>> Fix it by ensuring that the timer is canceled before proceeding with
>> the cleanup in ether3_remove.
>
>this code change indeed prevents UAF bug
>but as is, the CFG2_CTRLO flag of REG_CONFIG2 will be left in state "ON"
>
>it would be better to first turn the LED off unconditionally
>

I will fix it in the next version of patch.

>> 
>> Signed-off-by: Kaixin Wang <kxwang23@...udan.edu.cn>
>> ---
>>   drivers/net/ethernet/seeq/ether3.c | 1 +
>>   1 file changed, 1 insertion(+)
>> 
>> diff --git a/drivers/net/ethernet/seeq/ether3.c b/drivers/net/ethernet/seeq/ether3.c
>> index c672f92d65e9..f9d27c9d6808 100644
>> --- a/drivers/net/ethernet/seeq/ether3.c
>> +++ b/drivers/net/ethernet/seeq/ether3.c
>> @@ -850,6 +850,7 @@ static void ether3_remove(struct expansion_card *ec)
>>   	ecard_set_drvdata(ec, NULL);
>>   
>>   	unregister_netdev(dev);
>> +	del_timer_sync(&priv(dev)->timer);
>>   	free_netdev(dev);
>>   	ecard_release_resources(ec);
>>   }
>
>
Thanks for the review!

Best regards,
Kaixin Wang

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ