lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 24 Sep 2022 10:18:42 +0800 From: Duoming Zhou <duoming@....edu.cn> To: linux-kernel@...r.kernel.org Cc: netdev@...r.kernel.org, isdn@...ux-pingi.de, kuba@...nel.org, Duoming Zhou <duoming@....edu.cn> Subject: [PATCH V3] mISDN: fix use-after-free bugs in l1oip timer handlers The l1oip_cleanup() traverses the l1oip_ilist and calls release_card() to cleanup module and stack. However, release_card() calls del_timer() to delete the timers such as keep_tl and timeout_tl. If the timer handler is running, the del_timer() will not stop it and result in UAF bugs. One of the processes is shown below: (cleanup routine) | (timer handler) release_card() | l1oip_timeout() ... | del_timer() | ... ... | kfree(hc) //FREE | | hc->timeout_on = 0 //USE Fix by calling del_timer_sync() in release_card(), which makes sure the timer handlers have finished before the resources, such as l1oip and so on, have been deallocated. What's more, the hc->workq and hc->socket_thread can kick those timers right back in. We use del_timer_sync(&hc->keep_tl) and cancel_work_sync(&hc->workq) twice to stop keep_tl timer and hc->workq. Then, we add del_timer_sync(&hc->timeout_tl) inside l1oip_socket_close() to stop timeout_tl timer. Because the hc->socket_thread has been killed and the timeout_tl timer will not be rescheduled. Fixes: 3712b42d4b1b ("Add layer1 over IP support") Signed-off-by: Duoming Zhou <duoming@....edu.cn> --- Changes in v3: - Make commit messages more clearer. - Add del_timer_sync(&hc->timeout_tl) inside l1oip_socket_close(). drivers/isdn/mISDN/l1oip_core.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/isdn/mISDN/l1oip_core.c b/drivers/isdn/mISDN/l1oip_core.c index 2c40412466e..5939f1d8f08 100644 --- a/drivers/isdn/mISDN/l1oip_core.c +++ b/drivers/isdn/mISDN/l1oip_core.c @@ -762,6 +762,8 @@ l1oip_socket_close(struct l1oip *hc) wait_for_completion(&hc->socket_complete); } + del_timer_sync(&hc->timeout_tl); + /* if active, we send up a PH_DEACTIVATE and deactivate */ if (test_bit(FLG_ACTIVE, &dch->Flags)) { if (debug & (DEBUG_L1OIP_MSG | DEBUG_L1OIP_SOCKET)) @@ -1232,12 +1234,10 @@ release_card(struct l1oip *hc) { int ch; - if (timer_pending(&hc->keep_tl)) - del_timer(&hc->keep_tl); - - if (timer_pending(&hc->timeout_tl)) - del_timer(&hc->timeout_tl); - + del_timer_sync(&hc->keep_tl); + del_timer_sync(&hc->timeout_tl); + cancel_work_sync(&hc->workq); + del_timer_sync(&hc->keep_tl); cancel_work_sync(&hc->workq); if (hc->socket_thread) -- 2.17.1
Powered by blists - more mailing lists