* [PATCH mac80211] virt_wifi: fix use-after-free in virt_wifi_newlink()
@ 2019-11-21 12:26 Taehee Yoo
0 siblings, 0 replies; only message in thread
From: Taehee Yoo @ 2019-11-21 12:26 UTC (permalink / raw)
To: johannes, kvalo, linux-wireless; +Cc: ap420073
When virt_wifi interface is created, virt_wifi_newlink() is called and
it calls register_netdevice().
if register_netdevice() fails, it internally would call
->priv_destructor(), which is virt_wifi_net_device_destructor() and
it frees netdev. but virt_wifi_newlink() still use netdev.
So, use-after-free would occur in virt_wifi_newlink().
Test commands:
ip link add dummy0 type dummy
modprobe bonding
ip link add bonding_masters link dummy0 type virt_wifi
Splat looks like:
[ 202.220554] BUG: KASAN: use-after-free in virt_wifi_newlink+0x88b/0x9a0 [virt_wifi]
[ 202.221659] Read of size 8 at addr ffff888061629cb8 by task ip/852
[ 202.222896] CPU: 1 PID: 852 Comm: ip Not tainted 5.4.0-rc5 #3
[ 202.223765] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 202.225073] Call Trace:
[ 202.225532] dump_stack+0x7c/0xbb
[ 202.226073] ? virt_wifi_newlink+0x88b/0x9a0 [virt_wifi]
[ 202.226869] print_address_description.constprop.5+0x1be/0x360
[ 202.227759] ? virt_wifi_newlink+0x88b/0x9a0 [virt_wifi]
[ 202.228550] ? virt_wifi_newlink+0x88b/0x9a0 [virt_wifi]
[ 202.229362] __kasan_report+0x12a/0x16f
[ 202.229980] ? virt_wifi_newlink+0x88b/0x9a0 [virt_wifi]
[ 202.230714] kasan_report+0xe/0x20
[ 202.232595] virt_wifi_newlink+0x88b/0x9a0 [virt_wifi]
[ 202.233370] __rtnl_newlink+0xb9f/0x11b0
[ 202.233929] ? rtnl_link_unregister+0x220/0x220
[ 202.234668] ? lock_acquire+0x164/0x3b0
[ 202.235344] ? rtnl_newlink+0x4c/0x90
[ 202.235923] ? is_bpf_text_address+0x86/0xf0
[ 202.236588] ? kernel_text_address+0x111/0x120
[ 202.237291] ? __lock_acquire+0xdfe/0x3de0
[ 202.237834] ? __kernel_text_address+0xe/0x30
[ 202.238414] ? unwind_get_return_address+0x5f/0xa0
[ 202.239207] ? create_prof_cpu_mask+0x20/0x20
[ 202.240163] ? arch_stack_walk+0x83/0xb0
[ 202.240916] ? stack_trace_save+0x82/0xb0
[ 202.241640] ? stack_trace_consume_entry+0x160/0x160
[ 202.242595] ? rtnl_newlink+0x4c/0x90
[ 202.243499] ? kasan_unpoison_shadow+0x30/0x40
[ 202.244192] ? kmem_cache_alloc_trace+0x12c/0x320
[ 202.244909] rtnl_newlink+0x65/0x90
[ ... ]
Fixes: c7cdba31ed8b ("mac80211-next: rtnetlink wifi simulation device")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
---
drivers/net/wireless/virt_wifi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/virt_wifi.c b/drivers/net/wireless/virt_wifi.c
index 7997cc6de334..01305ba2d3aa 100644
--- a/drivers/net/wireless/virt_wifi.c
+++ b/drivers/net/wireless/virt_wifi.c
@@ -450,7 +450,6 @@ static void virt_wifi_net_device_destructor(struct net_device *dev)
*/
kfree(dev->ieee80211_ptr);
dev->ieee80211_ptr = NULL;
- free_netdev(dev);
}
/* No lock interaction. */
@@ -458,7 +457,7 @@ static void virt_wifi_setup(struct net_device *dev)
{
ether_setup(dev);
dev->netdev_ops = &virt_wifi_ops;
- dev->priv_destructor = virt_wifi_net_device_destructor;
+ dev->needs_free_netdev = true;
}
/* Called in a RCU read critical section from netif_receive_skb */
@@ -544,6 +543,7 @@ static int virt_wifi_newlink(struct net *src_net, struct net_device *dev,
goto unregister_netdev;
}
+ dev->priv_destructor = virt_wifi_net_device_destructor;
priv->being_deleted = false;
priv->is_connected = false;
priv->is_up = false;
--
2.17.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2019-11-21 12:26 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-21 12:26 [PATCH mac80211] virt_wifi: fix use-after-free in virt_wifi_newlink() Taehee Yoo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.