| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Apr 2022 16:16:19 +0200
From: Lukas Wunner <lukas@...ner.de>
To: Oliver Neukum <oneukum@...e.com>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>, Jann Horn <jannh@...gle.com>,
Oleksij Rempel <o.rempel@...gutronix.de>
Cc: netdev@...r.kernel.org, linux-usb@...r.kernel.org,
Andrew Lunn <andrew@...n.ch>,
Eric Dumazet <edumazet@...gle.com>,
Jacky Chou <jackychou@...x.com.tw>, Willy Tarreau <w@....eu>,
Lino Sanfilippo <LinoSanfilippo@....de>,
Philipp Rosenberger <p.rosenberger@...bus.com>,
Heiner Kallweit <hkallweit1@...il.com>
Subject: [PATCH] usbnet: Fix use-after-free on disconnect
Jann Horn reports a use-after-free on disconnect of a USB Ethernet
(ax88179_178a.c). Oleksij Rempel has witnessed the same issue with a
different driver (ax88172a.c).
Jann's report (linked below) explains the root cause in great detail.
Briefly, USB Ethernet drivers schedule work (usbnet_deferred_kevent())
which in turn schedules another work (linkwatch_event()). The problem
is that usbnet_disconnect() first synchronizes with linkwatch_event()
and only then with usbnet_deferred_kevent(). That allows
usbnet_deferred_kevent() to schedule another linkwatch_event() after
synchronization with the latter. In other words, scheduling happens
in AB order and synchronization on disconnect happens in BA order.
The correct order is to first synchronize with usbnet_deferred_kevent()
(and prevent any future execution), then with linkwatch_event(), i.e.
in AB order.
Reported-by: Jann Horn <jannh@...gle.com>
Link: https://lore.kernel.org/netdev/CAG48ez0MHBbENX5gCdHAUXZ7h7s20LnepBF-pa5M=7Bi-jZrEA@mail.gmail.com/
Reported-by: Oleksij Rempel <o.rempel@...gutronix.de>
Link: https://lore.kernel.org/netdev/20220315113841.GA22337@pengutronix.de/
Signed-off-by: Lukas Wunner <lukas@...ner.de>
Cc: stable@...r.kernel.org
Cc: Oliver Neukum <oneukum@...e.com>
Cc: Andrew Lunn <andrew@...n.ch>
---
drivers/net/usb/usbnet.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index 9a6450f796dc..6c67ae48afeb 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -469,6 +469,9 @@ static enum skb_state defer_bh(struct usbnet *dev, struct sk_buff *skb,
*/
void usbnet_defer_kevent (struct usbnet *dev, int work)
{
+ if (dev->intf->condition == USB_INTERFACE_UNBINDING)
+ return;
+
set_bit (work, &dev->flags);
if (!schedule_work (&dev->kevent))
netdev_dbg(dev->net, "kevent %s may have been dropped\n", usbnet_event_names[work]);
@@ -1619,11 +1622,11 @@ void usbnet_disconnect (struct usb_interface *intf)
if (dev->driver_info->unbind)
dev->driver_info->unbind(dev, intf);
+ cancel_work_sync(&dev->kevent);
+
net = dev->net;
unregister_netdev (net);
- cancel_work_sync(&dev->kevent);
-
usb_scuttle_anchored_urbs(&dev->deferred);
usb_kill_urb(dev->interrupt);
--
2.35.2
Powered by blists - more mailing lists