* Re: [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition
[not found] <tencent_4212C4F240B0666B49355184@qq.com>
@ 2024-09-02 9:23 ` Russell King (Oracle)
2024-09-02 11:37 ` Wentai Deng
0 siblings, 1 reply; 6+ messages in thread
From: Russell King (Oracle) @ 2024-09-02 9:23 UTC (permalink / raw)
To: Wentai Deng
Cc: davem, edumazet, kuba, pabeni, linux-arm-kernel, netdev,
linux-kernel, 杜雪盈
On Mon, Sep 02, 2024 at 01:19:43PM +0800, Wentai Deng wrote:
> In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows:
>
>
> CPU0 CPU1
>
>
> | ether3_ledoff
> ether3_remove |
> free_netdev(dev); |
> put_device |
> kfree(dev); |
> | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);
> | // use dev
This is unreadable.
> Request for Review:
>
>
> We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system, and if the proposed fix is appropriate.
Please resend without the HTML junk in the plain text part.
--
*** please note that I probably will only be occasionally responsive
*** for an unknown period of time due to recent eye surgery making
*** reading quite difficult.
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition
2024-09-02 9:23 ` Russell King (Oracle)
@ 2024-09-02 11:37 ` Wentai Deng
2024-09-02 15:54 ` Andrew Lunn
0 siblings, 1 reply; 6+ messages in thread
From: Wentai Deng @ 2024-09-02 11:37 UTC (permalink / raw)
To: Russell King (Oracle)
Cc: davem, edumazet, kuba, pabeni, linux-arm-kernel, netdev,
linux-kernel, 杜雪盈
Apologies for sending the email in the wrong format. I'll correct it and resend it shortly.
------------------ Original ------------------From: "Russell King (Oracle)"<linux@armlinux.org.uk>;Date: Mon, Sep 2, 2024 05:23 PMTo: "Wentai Deng"<wtdeng24@m.fudan.edu.cn>; Cc: "davem"<davem@davemloft.net>; "edumazet"<edumazet@google.com>; "kuba"<kuba@kernel.org>; "pabeni"<pabeni@redhat.com>; "linux-arm-kernel"<linux-arm-kernel@lists.infradead.org>; "netdev"<netdev@vger.kernel.org>; "linux-kernel"<linux-kernel@vger.kernel.org>; "杜雪盈"<21210240012@m.fudan.edu.cn>; Subject: Re: [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition On Mon, Sep 02, 2024 at 01:19:43PM +0800, Wentai Deng wrote:> In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows:> > > CPU0 CPU1> > > | ether3_ledoff> ether3_remove |> free_netdev(dev); |> put_device |> kfree(dev); |> | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);> | // use devThis is unreadable.> Request for Review:> > > We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system, and if the proposed fix is appropriate.Please resend without the HTML junk in the plain text part.-- *** please note that I probably will only be occasionally responsive*** for an unknown period of time due to recent eye surgery making*** reading quite difficult.RMK's Patch system: https://www.armlinux.org.uk/developer/patches/FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
^ permalink raw reply [flat|nested] 6+ messages in thread
* [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition
@ 2024-09-02 11:42 Wentai Deng
2024-09-02 15:56 ` Andrew Lunn
0 siblings, 1 reply; 6+ messages in thread
From: Wentai Deng @ 2024-09-02 11:42 UTC (permalink / raw)
To: linux
Cc: davem, edumazet, kuba, pabeni, linux-arm-kernel, netdev,
linux-kernel, 杜雪盈
Our team recently developed a vulnerability detection tool, and we have employed it to scan the Linux Kernel (version 6.9.6). After manual review, we found some potentially vulnerable code snippets which may have use-after-free bugs due to race conditions. Therefore, we would appreciate your expert insight to confirm whether these vulnerabilities could indeed pose a risk to the system.
Vulnerability Description:
File: /drivers/net/ethernet/seeq/ether3.c
In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| ether3_ledoff
ether3_remove |
free_netdev(dev); |
put_device |
kfree(dev); |
| ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);
| // use dev
Proposed Fix:
The issue can be resolved by ensuring that the timer is canceled before proceeding with the cleanup in ether3_remove or ether3_close. This will prevent any pending or active timer functions from accessing memory that has already been freed.
Relevant CVE and Reference:
This issue is similar to the vulnerability documented in CVE-2023-3141, and a related fix was implemented as shown in the following commit:
memstick: r592: Fix UAF bug in r592_remove due to race condition (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=63264422785021704c39b38f65a78ab9e4a186d7)
Request for Review:
We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system and if the proposed fix is appropriate.
Thank you for your time and consideration.
Best regards,
Wentai Deng
wtdeng24@m.fudan.edu.cn
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition
2024-09-02 11:37 ` Wentai Deng
@ 2024-09-02 15:54 ` Andrew Lunn
0 siblings, 0 replies; 6+ messages in thread
From: Andrew Lunn @ 2024-09-02 15:54 UTC (permalink / raw)
To: Wentai Deng
Cc: Russell King (Oracle), davem, edumazet, kuba, pabeni,
linux-arm-kernel, netdev, linux-kernel, 杜雪盈
On Mon, Sep 02, 2024 at 07:37:41PM +0800, Wentai Deng wrote:
> Apologies for sending the email in the wrong format. I'll correct it and resend it shortly.
Please don't top post.
> ------------------ Original ------------------From: "Russell King (Oracle)"<linux@armlinux.org.uk>;Date: Mon, Sep 2, 2024 05:23 PMTo: "Wentai Deng"<wtdeng24@m.fudan.edu.cn>; Cc: "davem"<davem@davemloft.net>; "edumazet"<edumazet@google.com>; "kuba"<kuba@kernel.org>; "pabeni"<pabeni@redhat.com>; "linux-arm-kernel"<linux-arm-kernel@lists.infradead.org>; "netdev"<netdev@vger.kernel.org>; "linux-kernel"<linux-kernel@vger.kernel.org>; "杜雪盈"<21210240012@m.fudan.edu.cn>; Subject: Re: [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition
You have also mangled Russels reply. Plain text only please.
Andrew
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition
2024-09-02 11:42 [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition Wentai Deng
@ 2024-09-02 15:56 ` Andrew Lunn
2024-09-04 6:31 ` Wentai Deng
0 siblings, 1 reply; 6+ messages in thread
From: Andrew Lunn @ 2024-09-02 15:56 UTC (permalink / raw)
To: Wentai Deng
Cc: linux, davem, edumazet, kuba, pabeni, linux-arm-kernel, netdev,
linux-kernel, 杜雪盈
> Request for Review:
>
> We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system and if the proposed fix is appropriate.
Please submit an actual patch fixing the issue. We can then decide if
it is the correct fix.
Andrew
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition
2024-09-02 15:56 ` Andrew Lunn
@ 2024-09-04 6:31 ` Wentai Deng
0 siblings, 0 replies; 6+ messages in thread
From: Wentai Deng @ 2024-09-04 6:31 UTC (permalink / raw)
To: Andrew Lunn
Cc: linux, davem, edumazet, kuba, pabeni, linux-arm-kernel, netdev,
linux-kernel, 杜雪盈
> Please submit an actual patch fixing the issue. We can then decide if it is the correct fix.
Thank you for the feedback. We will prepare and submit an actual patch that addresses the issue for your review.
Wentai
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-09-04 7:45 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-02 11:42 [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition Wentai Deng
2024-09-02 15:56 ` Andrew Lunn
2024-09-04 6:31 ` Wentai Deng
[not found] <tencent_4212C4F240B0666B49355184@qq.com>
2024-09-02 9:23 ` Russell King (Oracle)
2024-09-02 11:37 ` Wentai Deng
2024-09-02 15:54 ` Andrew Lunn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).