lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <49ee57f2.9a9d.191465ab362.Coremail.13514081436@163.com>
Date: Mon, 12 Aug 2024 19:30:34 +0800 (CST)
From: wkx  <13514081436@....com>
To: davem@...emloft.net
Cc: edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, 
	netdev@...r.kernel.org, 21210240012@...udan.edu.cn
Subject: [BUG net] possible use after free bugs due to race condition



Our team recently developed a vulnerability detection tool, and we have employed it to scan the Linux Kernel (version 6.9.6). After manual review, we found some potentially vulnerable code snippets, which may have use-after-free bugs due to race conditions. Therefore, we would appreciate your expert insight to confirm whether these vulnerabilities could indeed pose a risk to the system.

1. /drivers/net/ethernet/broadcom/bcm63xx_enet.c

In bcm_enet_probe, &priv->mib_update_task is bounded with bcm_enet_update_mib_counters_defer. bcm_enet_isr_mac will be called to start the work.
If we remove the driver which will call bcm_enet_remove to make a cleanup, there may be unfinished work.
The possible sequence is as follows:
CPU0                                             CPU1
 
                                      | bcm_enet_update_mib_counters_defer
bcm_enet_remove        |
free_netdev                  |
kfree(netdev);              |
                                    | netif_running
                                    | //use netdev

2. /drivers/net/ethernet/broadcom/genet/bcmgenet.c

In bcmgenet_probe, &priv->bcmgenet_irq_work is bounded with bcmgenet_irq_task. bcmgenet_isr0 will be called to start the work.
If we remove the driver which will call bcmgenet_remove to make a cleanup, there may be unfinished work.
The possible sequence is as follows:
CPU0                                       CPU1
 
                                      | bcmgenet_irq_task
bcmgenet_remove         |
free_netdev                   |
kfree(netdev);               |
                                     | phy_init_hw(priv->dev->phydev);
                                     | //use netdev

3. /drivers/net/ethernet/freescale/gianfar.c

In gfar_probe, &priv->reset_task is bounded with gfar_reset_task. gfar_error or gfar_timeout will be called to start the work.
If we remove the driver which will call gfar_remove to make a cleanup, there may be unfinished work.
The possible sequence is as follows:
CPU0                                  CPU1
 
                                     | gfar_reset_task
gfar_remove                |
free_gfar_dev    |
free_netdev                 |
kfree(netdev);             |
                                   | reset_gfar
                                    | stop_gfar
                                    | //use netdev
 
Below are some known CVEs and their patch commits corresponding to a similar vulnerability.
CVE-2023-33203
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6b6bc5b8bd2d4ca9e1efa9ae0f98a0b0687ace75, 
CVE-2023-1670
https://lore.kernel.org/all/20230316161526.1568982-1-zyytlz.wz@163.com/
 
Thank you for your time and consideration.

 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ