All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 4.19 1/2] hamradio: defer 6pack kfree after unregister_netdev
@ 2022-04-28 13:56 Ovidiu Panait
  2022-04-28 13:56 ` [PATCH 4.19 2/2] hamradio: remove needs_free_netdev to avoid UAF Ovidiu Panait
  0 siblings, 1 reply; 2+ messages in thread
From: Ovidiu Panait @ 2022-04-28 13:56 UTC (permalink / raw)
  To: stable
  Cc: Lin Ma, David S . Miller, Xu Jia, Greg Kroah-Hartman, Ovidiu Panait

From: Lin Ma <linma@zju.edu.cn>

commit 0b9111922b1f399aba6ed1e1b8f2079c3da1aed8 upstream.

There is a possible race condition (use-after-free) like below

 (USE)                       |  (FREE)
  dev_queue_xmit             |
   __dev_queue_xmit          |
    __dev_xmit_skb           |
     sch_direct_xmit         | ...
      xmit_one               |
       netdev_start_xmit     | tty_ldisc_kill
        __netdev_start_xmit  |  6pack_close
         sp_xmit             |   kfree
          sp_encaps          |
                             |

According to the patch "defer ax25 kfree after unregister_netdev", this
patch reorder the kfree after the unregister_netdev to avoid the possible
UAF as the unregister_netdev() is well synchronized and won't return if
there is a running routine.

Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Xu Jia <xujia39@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
---
These commits are part of CVE-2022-1195 patchset.
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=2056381
[1] https://github.com/torvalds/linux/commit/3e0588c291d6ce225f2b891753ca41d45ba42469
[2] https://github.com/torvalds/linux/commit/b2f37aead1b82a770c48b5d583f35ec22aabb61e
[3] https://github.com/torvalds/linux/commit/0b9111922b1f399aba6ed1e1b8f2079c3da1aed8
[4] https://github.com/torvalds/linux/commit/81b1d548d00bcd028303c4f3150fa753b9b8aa71

Commits [1] and [2] are already present in 4.19-stable, this patchset includes
backports for [3] and [4] (clean cherry-picks from 5.10 stable).

 drivers/net/hamradio/6pack.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
index 29431e3eebee..381febb99bc3 100644
--- a/drivers/net/hamradio/6pack.c
+++ b/drivers/net/hamradio/6pack.c
@@ -679,9 +679,11 @@ static void sixpack_close(struct tty_struct *tty)
 	del_timer_sync(&sp->tx_t);
 	del_timer_sync(&sp->resync_t);
 
-	/* Free all 6pack frame buffers. */
+	/* Free all 6pack frame buffers after unreg. */
 	kfree(sp->rbuff);
 	kfree(sp->xbuff);
+
+	free_netdev(sp->dev);
 }
 
 /* Perform I/O control on an active 6pack channel. */
-- 
2.36.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [PATCH 4.19 2/2] hamradio: remove needs_free_netdev to avoid UAF
  2022-04-28 13:56 [PATCH 4.19 1/2] hamradio: defer 6pack kfree after unregister_netdev Ovidiu Panait
@ 2022-04-28 13:56 ` Ovidiu Panait
  0 siblings, 0 replies; 2+ messages in thread
From: Ovidiu Panait @ 2022-04-28 13:56 UTC (permalink / raw)
  To: stable; +Cc: Lin Ma, Jakub Kicinski, Xu Jia, Greg Kroah-Hartman, Ovidiu Panait

From: Lin Ma <linma@zju.edu.cn>

commit 81b1d548d00bcd028303c4f3150fa753b9b8aa71 upstream.

The former patch "defer 6pack kfree after unregister_netdev" reorders
the kfree of two buffer after the unregister_netdev to prevent the race
condition. It also adds free_netdev() function in sixpack_close(), which
is a direct copy from the similar code in mkiss_close().

However, in sixpack driver, the flag needs_free_netdev is set to true in
sp_setup(), hence the unregister_netdev() will free the netdev
automatically. Therefore, as the sp is netdev_priv, use-after-free
occurs.

This patch removes the needs_free_netdev = true and just let the
free_netdev to finish this deallocation task.

Fixes: 0b9111922b1f ("hamradio: defer 6pack kfree after unregister_netdev")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Link: https://lore.kernel.org/r/20211111141402.7551-1-linma@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Xu Jia <xujia39@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
---
 drivers/net/hamradio/6pack.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
index 381febb99bc3..87094189af74 100644
--- a/drivers/net/hamradio/6pack.c
+++ b/drivers/net/hamradio/6pack.c
@@ -311,7 +311,6 @@ static void sp_setup(struct net_device *dev)
 {
 	/* Finish setting up the DEVICE info. */
 	dev->netdev_ops		= &sp_netdev_ops;
-	dev->needs_free_netdev	= true;
 	dev->mtu		= SIXP_MTU;
 	dev->hard_header_len	= AX25_MAX_HEADER_LEN;
 	dev->header_ops 	= &ax25_header_ops;
-- 
2.36.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-04-28 13:57 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-28 13:56 [PATCH 4.19 1/2] hamradio: defer 6pack kfree after unregister_netdev Ovidiu Panait
2022-04-28 13:56 ` [PATCH 4.19 2/2] hamradio: remove needs_free_netdev to avoid UAF Ovidiu Panait

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.