lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 9 Apr 2022 17:10:05 +0200
From:   Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org>
To:     Duoming Zhou <duoming@....edu.cn>, linux-kernel@...r.kernel.org
Cc:     netdev@...r.kernel.org, alexander.deucher@....com,
        gregkh@...uxfoundation.org, davem@...emloft.net
Subject: Re: [PATCH] drivers: nfc: nfcmrvl: fix UAF bug in
 nfcmrvl_nci_unregister_dev()

On 09/04/2022 15:58, Duoming Zhou wrote:
> There is a potential UAF bug in nfcmrvl usb driver between
> unregister and resume operation.
> 
> The race that cause that UAF can be shown as below:
> 
>    (FREE)                   |      (USE)
>                             | nfcmrvl_resume
>                             |  nfcmrvl_submit_bulk_urb
>                             |   nfcmrvl_bulk_complete
>                             |    nfcmrvl_nci_recv_frame
>                             |     nfcmrvl_fw_dnld_recv_frame
>                             |      skb_queue_tail
> nfcmrvl_disconnect          |
>  nfcmrvl_nci_unregister_dev |
>   nfcmrvl_fw_dnld_deinit    |      ...
>    destroy_workqueue //(1)  |
>    ...                      |      queue_work //(2)
> 
> When nfcmrvl usb driver is resuming, we detach the device.
> The workqueue is destroyed in position (1), but it will be
> latter used in position (2), which leads to data race.

I miss here something. How can you queue work on a destroyed workqueue?
When workqueue is destroyed, no more work should be executed. Unless you
mean the case that draining the work (during destroying, not after)
causes the (2) to happen?

> This patch reorders the nfcmrvl_fw_dnld_deinit after
> nci_unregister_device in order to prevent UAF. Because
> nci_unregister_device will not return until finish all
> operations from upper layer.
> 
> Signed-off-by: Duoming Zhou <duoming@....edu.cn>
> ---
>  drivers/nfc/nfcmrvl/main.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/drivers/nfc/nfcmrvl/main.c b/drivers/nfc/nfcmrvl/main.c
> index 2fcf545012b..5ed17b23ee8 100644
> --- a/drivers/nfc/nfcmrvl/main.c
> +++ b/drivers/nfc/nfcmrvl/main.c
> @@ -186,12 +186,11 @@ void nfcmrvl_nci_unregister_dev(struct nfcmrvl_private *priv)
>  	if (priv->ndev->nfc_dev->fw_download_in_progress)
>  		nfcmrvl_fw_dnld_abort(priv);
>  
> -	nfcmrvl_fw_dnld_deinit(priv);
> -
>  	if (gpio_is_valid(priv->config.reset_n_io))
>  		gpio_free(priv->config.reset_n_io);
>  
>  	nci_unregister_device(ndev);
> +	nfcmrvl_fw_dnld_deinit(priv);

The new order matches reverse-probe, so actually makes sense.

>  	nci_free_device(ndev);
>  	kfree(priv);
>  }


Best regards,
Krzysztof

Powered by blists - more mailing lists