| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240913113727.GX572255@kernel.org> Date: Fri, 13 Sep 2024 12:37:27 +0100 From: Simon Horman <horms@...nel.org> To: Kaixin Wang <kxwang23@...udan.edu.cn> Cc: davem@...emloft.net, wtdeng24@...udan.edu.cn, 21210240012@...udan.edu.cn, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, edumazet@...gle.com, kuba@...nel.org Subject: Re: [PATCH] net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition On Tue, Sep 10, 2024 at 01:58:21AM +0800, Kaixin Wang wrote: > In the ether3_probe function, a timer is initialized with a callback > function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is > started, there is a risk of a race condition if the module or device > is removed, triggering the ether3_remove function to perform cleanup. > The sequence of operations that may lead to a UAF bug is as follows: > > CPU0 CPU1 > > | ether3_ledoff > ether3_remove | > free_netdev(dev); | > put_devic | > kfree(dev); | > | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2); > | // use dev > > Fix it by ensuring that the timer is canceled before proceeding with > the cleanup in ether3_remove. > > Signed-off-by: Kaixin Wang <kxwang23@...udan.edu.cn> This seems like it is a bug fix to me. If so, it should have a Fixes tag (immediately above your Signed-off-by line, no blank line in between). And be targeted at net. Subject: [PATCH net] ... Unless the bug only exists in net-next. Subject: [PATCH net-next] ... Link: https://docs.kernel.org/process/maintainer-netdev.html ...
Powered by blists - more mailing lists