| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240812190057.GB21559@breakpoint.cc> Date: Mon, 12 Aug 2024 21:00:57 +0200 From: Florian Westphal <fw@...len.de> To: wkx <13514081436@....com> Cc: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, netdev@...r.kernel.org, 21210240012@...udan.edu.cn Subject: Re: [BUG net] possible use after free bugs due to race condition wkx <13514081436@....com> wrote: > > > Our team recently developed a vulnerability detection tool, and we have employed it to scan the Linux Kernel (version 6.9.6). After manual review, we found some potentially vulnerable code snippets, which may have use-after-free bugs due to race conditions. Therefore, we would appreciate your expert insight to confirm whether these vulnerabilities could indeed pose a risk to the system. > > 1. /drivers/net/ethernet/broadcom/bcm63xx_enet.c > > In bcm_enet_probe, &priv->mib_update_task is bounded with bcm_enet_update_mib_counters_defer. bcm_enet_isr_mac will be called to start the work. > If we remove the driver which will call bcm_enet_remove to make a cleanup, there may be unfinished work. > The possible sequence is as follows: > CPU0 CPU1 > > | bcm_enet_update_mib_counters_defer > bcm_enet_remove | unregister_netdev(dev); ... which should end up calling bcm_enet_stop() (via ops->ndo_stop in __dev_close_many()). This calls cancel_work_sync(). Did not look at the others.
Powered by blists - more mailing lists