From: Hagar Hemdan <hagarhem@amazon.com>
Cc: <stable@vger.kernel.org>, Jeongjun Park <aha310510@gmail.com>,
"Jakub Kicinski" <kuba@kernel.org>,
Hagar Hemdan <hagarhem@amazon.com>
Subject: [PATCH 5.4] net/xen-netback: prevent UAF in xenvif_flush_hash()
Date: Wed, 22 Jan 2025 17:43:44 +0000 [thread overview]
Message-ID: <20250122174344.10000-2-hagarhem@amazon.com> (raw)
In-Reply-To: <20250122174344.10000-1-hagarhem@amazon.com>
From: Jeongjun Park <aha310510@gmail.com>
commit 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12 upstream.
During the list_for_each_entry_rcu iteration call of xenvif_flush_hash,
kfree_rcu does not exist inside the rcu read critical section, so if
kfree_rcu is called when the rcu grace period ends during the iteration,
UAF occurs when accessing head->next after the entry becomes free.
Therefore, to solve this, you need to change it to list_for_each_entry_safe.
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Link: https://patch.msgid.link/20240822181109.2577354-1-aha310510@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
---
This is the main fix for CVE-2024-49936.
diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c
--- a/drivers/net/xen-netback/hash.c
+++ b/drivers/net/xen-netback/hash.c
@@ -95,7 +95,7 @@ static u32 xenvif_new_hash(struct xenvif *vif, const u8 *data,
static void xenvif_flush_hash(struct xenvif *vif)
{
- struct xenvif_hash_cache_entry *entry;
+ struct xenvif_hash_cache_entry *entry, *n;
unsigned long flags;
if (xenvif_hash_cache_size == 0)
@@ -103,8 +103,7 @@ static void xenvif_flush_hash(struct xenvif *vif)
spin_lock_irqsave(&vif->hash.cache.lock, flags);
- list_for_each_entry_rcu(entry, &vif->hash.cache.list, link,
- lockdep_is_held(&vif->hash.cache.lock)) {
+ list_for_each_entry_safe(entry, n, &vif->hash.cache.list, link) {
list_del_rcu(&entry->link);
vif->hash.cache.count--;
kfree_rcu(entry, rcu);
next prev parent reply other threads:[~2025-01-22 17:44 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-22 17:43 [PATCH 5.4] net: xen-netback: hash.c: Use built-in RCU list checking Hagar Hemdan
2025-01-22 17:43 ` Hagar Hemdan [this message]
2025-01-22 22:38 ` [PATCH 5.4] net/xen-netback: prevent UAF in xenvif_flush_hash() Sasha Levin
2025-01-22 22:38 ` [PATCH 5.4] net: xen-netback: hash.c: Use built-in RCU list checking Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250122174344.10000-2-hagarhem@amazon.com \
--to=hagarhem@amazon.com \
--cc=aha310510@gmail.com \
--cc=kuba@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.