lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <127121d9d933ebe3fc13f9f91cc33363d6a8a8ac.1649859147.git.lukas@wunner.de>
Date:   Wed, 13 Apr 2022 16:16:19 +0200
From:   Lukas Wunner <lukas@...ner.de>
To:     Oliver Neukum <oneukum@...e.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>, Jann Horn <jannh@...gle.com>,
        Oleksij Rempel <o.rempel@...gutronix.de>
Cc:     netdev@...r.kernel.org, linux-usb@...r.kernel.org,
        Andrew Lunn <andrew@...n.ch>,
        Eric Dumazet <edumazet@...gle.com>,
        Jacky Chou <jackychou@...x.com.tw>, Willy Tarreau <w@....eu>,
        Lino Sanfilippo <LinoSanfilippo@....de>,
        Philipp Rosenberger <p.rosenberger@...bus.com>,
        Heiner Kallweit <hkallweit1@...il.com>
Subject: [PATCH] usbnet: Fix use-after-free on disconnect

Jann Horn reports a use-after-free on disconnect of a USB Ethernet
(ax88179_178a.c).  Oleksij Rempel has witnessed the same issue with a
different driver (ax88172a.c).

Jann's report (linked below) explains the root cause in great detail.
Briefly, USB Ethernet drivers schedule work (usbnet_deferred_kevent())
which in turn schedules another work (linkwatch_event()).  The problem
is that usbnet_disconnect() first synchronizes with linkwatch_event()
and only then with usbnet_deferred_kevent().  That allows
usbnet_deferred_kevent() to schedule another linkwatch_event() after
synchronization with the latter.  In other words, scheduling happens
in AB order and synchronization on disconnect happens in BA order.

The correct order is to first synchronize with usbnet_deferred_kevent()
(and prevent any future execution), then with linkwatch_event(), i.e.
in AB order.

Reported-by: Jann Horn <jannh@...gle.com>
Link: https://lore.kernel.org/netdev/CAG48ez0MHBbENX5gCdHAUXZ7h7s20LnepBF-pa5M=7Bi-jZrEA@mail.gmail.com/
Reported-by: Oleksij Rempel <o.rempel@...gutronix.de>
Link: https://lore.kernel.org/netdev/20220315113841.GA22337@pengutronix.de/
Signed-off-by: Lukas Wunner <lukas@...ner.de>
Cc: stable@...r.kernel.org
Cc: Oliver Neukum <oneukum@...e.com>
Cc: Andrew Lunn <andrew@...n.ch>
---
 drivers/net/usb/usbnet.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index 9a6450f796dc..6c67ae48afeb 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -469,6 +469,9 @@ static enum skb_state defer_bh(struct usbnet *dev, struct sk_buff *skb,
  */
 void usbnet_defer_kevent (struct usbnet *dev, int work)
 {
+	if (dev->intf->condition == USB_INTERFACE_UNBINDING)
+		return;
+
 	set_bit (work, &dev->flags);
 	if (!schedule_work (&dev->kevent))
 		netdev_dbg(dev->net, "kevent %s may have been dropped\n", usbnet_event_names[work]);
@@ -1619,11 +1622,11 @@ void usbnet_disconnect (struct usb_interface *intf)
 	if (dev->driver_info->unbind)
 		dev->driver_info->unbind(dev, intf);
 
+	cancel_work_sync(&dev->kevent);
+
 	net = dev->net;
 	unregister_netdev (net);
 
-	cancel_work_sync(&dev->kevent);
-
 	usb_scuttle_anchored_urbs(&dev->deferred);
 
 	usb_kill_urb(dev->interrupt);
-- 
2.35.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ