lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250429113241.572e3759@kmaincent-XPS-13-7390>
Date: Tue, 29 Apr 2025 11:32:41 +0200
From: Kory Maincent <kory.maincent@...tlin.com>
To: Paolo Abeni <pabeni@...hat.com>
Cc: Andrew Lunn <andrew@...n.ch>, Oleksij Rempel <o.rempel@...gutronix.de>,
 "David S. Miller" <davem@...emloft.net>, Eric Dumazet
 <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Jonathan Corbet
 <corbet@....net>, Donald Hunter <donald.hunter@...il.com>, Rob Herring
 <robh@...nel.org>, Andrew Lunn <andrew+netdev@...n.ch>, Simon Horman
 <horms@...nel.org>, Heiner Kallweit <hkallweit1@...il.com>, Russell King
 <linux@...linux.org.uk>, Krzysztof Kozlowski <krzk+dt@...nel.org>, Conor
 Dooley <conor+dt@...nel.org>, Liam Girdwood <lgirdwood@...il.com>, Mark
 Brown <broonie@...nel.org>, Thomas Petazzoni
 <thomas.petazzoni@...tlin.com>, netdev@...r.kernel.org,
 linux-doc@...r.kernel.org, Kyle Swenson <kyle.swenson@....tech>, Dent
 Project <dentproject@...uxfoundation.org>, kernel@...gutronix.de, Maxime
 Chevallier <maxime.chevallier@...tlin.com>, devicetree@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH net-next v9 02/13] net: pse-pd: Add support for
 reporting events

On Tue, 29 Apr 2025 11:00:19 +0200
Paolo Abeni <pabeni@...hat.com> wrote:

> On 4/22/25 4:56 PM, Kory Maincent wrote:
> > +/**
> > + * pse_control_find_phy_by_id - Find PHY attached to the pse control id
> > + * @pcdev: a pointer to the PSE
> > + * @id: index of the PSE control
> > + *
> > + * Return: PHY device pointer or NULL
> > + */
> > +static struct phy_device *
> > +pse_control_find_phy_by_id(struct pse_controller_dev *pcdev, int id)
> > +{
> > +	struct pse_control *psec;
> > +
> > +	mutex_lock(&pse_list_mutex);
> > +	list_for_each_entry(psec, &pcdev->pse_control_head, list) {
> > +		if (psec->id == id) {
> > +			mutex_unlock(&pse_list_mutex);  
> 
> AFAICS at this point 'psec' could be freed and the next statement could
> cause UaF.
> 
> It looks like you should acquire a reference to the pse control?

Oh indeed, thanks for spotting this issue!

I first though this would be sufficient: 
phydev = psec->attached_phydev;
mutex_unlock(&pse_list_mutex);
return phydev;

But in fact the ethnl_pse_send_ntf(phydev, notifs, &extack) is called without
RTNL lock, therefore the phydev could be freed and we could also have an UaF on
the phydev pointer. I will add a rtnl_lock here. Maybe a
get_device(&phydev->mdio.dev) is sufficient but not sure.

Also we really need to throw the ASSERT_RTNL() in the phy_detach function,
because there are still paths where the phy is freed without rtnl. I have a
patch for it, I will try to send it in RFC soon.

Regards,
-- 
Köry Maincent, Bootlin
Embedded Linux and kernel engineering
https://bootlin.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ