lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 9 Apr 2022 21:58:54 +0800 From: Duoming Zhou <duoming@....edu.cn> To: linux-kernel@...r.kernel.org Cc: netdev@...r.kernel.org, alexander.deucher@....com, gregkh@...uxfoundation.org, davem@...emloft.net, krzk@...nel.org, Duoming Zhou <duoming@....edu.cn> Subject: [PATCH] drivers: nfc: nfcmrvl: fix UAF bug in nfcmrvl_nci_unregister_dev() There is a potential UAF bug in nfcmrvl usb driver between unregister and resume operation. The race that cause that UAF can be shown as below: (FREE) | (USE) | nfcmrvl_resume | nfcmrvl_submit_bulk_urb | nfcmrvl_bulk_complete | nfcmrvl_nci_recv_frame | nfcmrvl_fw_dnld_recv_frame | skb_queue_tail nfcmrvl_disconnect | nfcmrvl_nci_unregister_dev | nfcmrvl_fw_dnld_deinit | ... destroy_workqueue //(1) | ... | queue_work //(2) When nfcmrvl usb driver is resuming, we detach the device. The workqueue is destroyed in position (1), but it will be latter used in position (2), which leads to data race. This patch reorders the nfcmrvl_fw_dnld_deinit after nci_unregister_device in order to prevent UAF. Because nci_unregister_device will not return until finish all operations from upper layer. Signed-off-by: Duoming Zhou <duoming@....edu.cn> --- drivers/nfc/nfcmrvl/main.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/nfc/nfcmrvl/main.c b/drivers/nfc/nfcmrvl/main.c index 2fcf545012b..5ed17b23ee8 100644 --- a/drivers/nfc/nfcmrvl/main.c +++ b/drivers/nfc/nfcmrvl/main.c @@ -186,12 +186,11 @@ void nfcmrvl_nci_unregister_dev(struct nfcmrvl_private *priv) if (priv->ndev->nfc_dev->fw_download_in_progress) nfcmrvl_fw_dnld_abort(priv); - nfcmrvl_fw_dnld_deinit(priv); - if (gpio_is_valid(priv->config.reset_n_io)) gpio_free(priv->config.reset_n_io); nci_unregister_device(ndev); + nfcmrvl_fw_dnld_deinit(priv); nci_free_device(ndev); kfree(priv); } -- 2.17.1
Powered by blists - more mailing lists