From: "Russell King (Oracle)" <linux@armlinux.org.uk>
To: Wentai Deng <wtdeng24@m.fudan.edu.cn>
Cc: davem <davem@davemloft.net>, edumazet <edumazet@google.com>,
kuba <kuba@kernel.org>, pabeni <pabeni@redhat.com>,
linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
netdev <netdev@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
杜雪盈 <21210240012@m.fudan.edu.cn>
Subject: Re: [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition
Date: Mon, 2 Sep 2024 10:23:07 +0100 [thread overview]
Message-ID: <ZtWD+/veJzhA9WH2@shell.armlinux.org.uk> (raw)
In-Reply-To: <tencent_4212C4F240B0666B49355184@qq.com>
On Mon, Sep 02, 2024 at 01:19:43PM +0800, Wentai Deng wrote:
> In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows:
>
>
> CPU0 CPU1
>
>
> | ether3_ledoff
> ether3_remove |
> free_netdev(dev); |
> put_device |
> kfree(dev); |
> | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);
> | // use dev
This is unreadable.
> Request for Review:
>
>
> We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system, and if the proposed fix is appropriate.
Please resend without the HTML junk in the plain text part.
--
*** please note that I probably will only be occasionally responsive
*** for an unknown period of time due to recent eye surgery making
*** reading quite difficult.
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
next parent reply other threads:[~2024-09-02 9:25 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <tencent_4212C4F240B0666B49355184@qq.com>
2024-09-02 9:23 ` Russell King (Oracle) [this message]
2024-09-02 11:37 ` [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition Wentai Deng
2024-09-02 15:54 ` Andrew Lunn
2024-09-02 11:42 Wentai Deng
2024-09-02 15:56 ` Andrew Lunn
2024-09-04 6:31 ` Wentai Deng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZtWD+/veJzhA9WH2@shell.armlinux.org.uk \
--to=linux@armlinux.org.uk \
--cc=21210240012@m.fudan.edu.cn \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=wtdeng24@m.fudan.edu.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.