lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 1 Feb 2022 16:57:30 -0800
From:   Jakub Kicinski <kuba@...nel.org>
To:     Jann Horn <jannh@...gle.com>
Cc:     "David S. Miller" <davem@...emloft.net>,
        Network Development <netdev@...r.kernel.org>,
        Oliver Neukum <oneukum@...e.com>,
        kernel list <linux-kernel@...r.kernel.org>,
        Eric Dumazet <edumazet@...gle.com>,
        Jacky Chou <jackychou@...x.com.tw>, Willy Tarreau <w@....eu>
Subject: Re: [BUG] net_device UAF: linkwatch_fire_event() calls dev_hold()
 after netdev_wait_allrefs() is done

On Tue, 1 Feb 2022 23:46:16 +0100 Jann Horn wrote:
> On Fri, Jan 28, 2022 at 3:19 AM Jakub Kicinski <kuba@...nel.org> wrote:
> > Interesting..
> >
> > I don't know what link_reset does, but since it turns the carrier on it
> > seems like something that should be flushed/canceled when the device
> > goes down. unregister brings the device down under rtnl_lock.
> >
> > On Fri, 28 Jan 2022 02:51:24 +0100 Jann Horn wrote:  
> > > Is the bug that usbnet_disconnect() should be stopping &dev->kevent
> > > before calling unregister_netdev()?  
> >
> > I'd say not this one, I think the generally agreed on semantics are that
> > the netdev is under users control between register and unregister, we
> > should not cripple it before unregister.
> >  
> > > Or is the bug that ax88179_link_reset() doesn't take some kind of lock
> > > and re-check that the netdev is still alive?  
> >
> > That'd not be an uncommon way to fix this.. taking rtnl_lock, not even
> > a driver lock in similar.  
> 
> Ah, I found a comment with a bit of explanation on how this is
> supposed to work... usbnet_stop() explains:
> 
>     /* deferred work (task, timer, softirq) must also stop.
>      * can't flush_scheduled_work() until we drop rtnl (later),
>      * else workers could deadlock; so make workers a NOP.
>      */
> 
> And usbnet_stop() is ->ndo_stop(), which indeed runs under RTNL.
> 
> I wonder what the work items can do that'd conflict with RTNL... or is
> the comment just talking about potential issues if a bunch of *other*
> work items need RTNL and clog up the system_wq so that
> flush_scheduled_work() blocks forever?

Good question. Nothing that would explicitly take rtnl_lock jumps out
in the usbnet code or the link_reset handler. The code is ancient, too:

/* work that cannot be done in interrupt context uses keventd.
 *
 * NOTE:  with 2.5 we could do more of this using completion callbacks,

:)

> If it's the latter case, I guess we could instead do cancel_work_sync() and
> then maybe re-run the work function's handler one more time
> synchronously?

cancel_sync() sounds good, lan78xx.c does that plus clearing the event
bits. I don't think you need to call the link_reset handler manually,
the stop function should shut down the link, anyway.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ