* Re: [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition
[not found] <tencent_4212C4F240B0666B49355184@qq.com>
@ 2024-09-02 9:23 ` Russell King (Oracle)
2024-09-02 11:37 ` Wentai Deng
0 siblings, 1 reply; 6+ messages in thread
From: Russell King (Oracle) @ 2024-09-02 9:23 UTC (permalink / raw)
To: Wentai Deng
Cc: davem, edumazet, kuba, pabeni, linux-arm-kernel, netdev,
linux-kernel, 杜雪盈
On Mon, Sep 02, 2024 at 01:19:43PM +0800, Wentai Deng wrote:
> In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows:
>
>
> CPU0 CPU1
>
>
> | ether3_ledoff
> ether3_remove |
> free_netdev(dev); |
> put_device |
> kfree(dev); |
> | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);
> | // use dev
This is unreadable.
> Request for Review:
>
>
> We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system, and if the proposed fix is appropriate.
Please resend without the HTML junk in the plain text part.
--
*** please note that I probably will only be occasionally responsive
*** for an unknown period of time due to recent eye surgery making
*** reading quite difficult.
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition
2024-09-02 9:23 ` [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition Russell King (Oracle)
@ 2024-09-02 11:37 ` Wentai Deng
2024-09-02 15:54 ` Andrew Lunn
0 siblings, 1 reply; 6+ messages in thread
From: Wentai Deng @ 2024-09-02 11:37 UTC (permalink / raw)
To: Russell King (Oracle)
Cc: davem, edumazet, kuba, pabeni, linux-arm-kernel, netdev,
linux-kernel, 杜雪盈
Apologies for sending the email in the wrong format. I'll correct it and resend it shortly.
------------------ Original ------------------From: "Russell King (Oracle)"<linux@armlinux.org.uk>;Date: Mon, Sep 2, 2024 05:23 PMTo: "Wentai Deng"<wtdeng24@m.fudan.edu.cn>; Cc: "davem"<davem@davemloft.net>; "edumazet"<edumazet@google.com>; "kuba"<kuba@kernel.org>; "pabeni"<pabeni@redhat.com>; "linux-arm-kernel"<linux-arm-kernel@lists.infradead.org>; "netdev"<netdev@vger.kernel.org>; "linux-kernel"<linux-kernel@vger.kernel.org>; "杜雪盈"<21210240012@m.fudan.edu.cn>; Subject: Re: [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition On Mon, Sep 02, 2024 at 01:19:43PM +0800, Wentai Deng wrote:> In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows:> > > CPU0 CPU1> > > | ether3_ledoff> ether3_remove |> free_netdev(dev); |> put_device |> kfree(dev); |> | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);> | // use devThis is unreadable.> Request for Review:> > > We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system, and if the proposed fix is appropriate.Please resend without the HTML junk in the plain text part.-- *** please note that I probably will only be occasionally responsive*** for an unknown period of time due to recent eye surgery making*** reading quite difficult.RMK's Patch system: https://www.armlinux.org.uk/developer/patches/FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition
2024-09-02 11:37 ` Wentai Deng
@ 2024-09-02 15:54 ` Andrew Lunn
0 siblings, 0 replies; 6+ messages in thread
From: Andrew Lunn @ 2024-09-02 15:54 UTC (permalink / raw)
To: Wentai Deng
Cc: Russell King (Oracle), davem, edumazet, kuba, pabeni,
linux-arm-kernel, netdev, linux-kernel, 杜雪盈
On Mon, Sep 02, 2024 at 07:37:41PM +0800, Wentai Deng wrote:
> Apologies for sending the email in the wrong format. I'll correct it and resend it shortly.
Please don't top post.
> ------------------ Original ------------------From: "Russell King (Oracle)"<linux@armlinux.org.uk>;Date: Mon, Sep 2, 2024 05:23 PMTo: "Wentai Deng"<wtdeng24@m.fudan.edu.cn>; Cc: "davem"<davem@davemloft.net>; "edumazet"<edumazet@google.com>; "kuba"<kuba@kernel.org>; "pabeni"<pabeni@redhat.com>; "linux-arm-kernel"<linux-arm-kernel@lists.infradead.org>; "netdev"<netdev@vger.kernel.org>; "linux-kernel"<linux-kernel@vger.kernel.org>; "杜雪盈"<21210240012@m.fudan.edu.cn>; Subject: Re: [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition
You have also mangled Russels reply. Plain text only please.
Andrew
^ permalink raw reply [flat|nested] 6+ messages in thread
* [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition
@ 2024-09-02 11:42 Wentai Deng
2024-09-02 15:56 ` Andrew Lunn
0 siblings, 1 reply; 6+ messages in thread
From: Wentai Deng @ 2024-09-02 11:42 UTC (permalink / raw)
To: linux
Cc: davem, edumazet, kuba, pabeni, linux-arm-kernel, netdev,
linux-kernel, 杜雪盈
Our team recently developed a vulnerability detection tool, and we have employed it to scan the Linux Kernel (version 6.9.6). After manual review, we found some potentially vulnerable code snippets which may have use-after-free bugs due to race conditions. Therefore, we would appreciate your expert insight to confirm whether these vulnerabilities could indeed pose a risk to the system.
Vulnerability Description:
File: /drivers/net/ethernet/seeq/ether3.c
In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| ether3_ledoff
ether3_remove |
free_netdev(dev); |
put_device |
kfree(dev); |
| ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);
| // use dev
Proposed Fix:
The issue can be resolved by ensuring that the timer is canceled before proceeding with the cleanup in ether3_remove or ether3_close. This will prevent any pending or active timer functions from accessing memory that has already been freed.
Relevant CVE and Reference:
This issue is similar to the vulnerability documented in CVE-2023-3141, and a related fix was implemented as shown in the following commit:
memstick: r592: Fix UAF bug in r592_remove due to race condition (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=63264422785021704c39b38f65a78ab9e4a186d7)
Request for Review:
We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system and if the proposed fix is appropriate.
Thank you for your time and consideration.
Best regards,
Wentai Deng
wtdeng24@m.fudan.edu.cn
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-09-04 7:45 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <tencent_4212C4F240B0666B49355184@qq.com>
2024-09-02 9:23 ` [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition Russell King (Oracle)
2024-09-02 11:37 ` Wentai Deng
2024-09-02 15:54 ` Andrew Lunn
2024-09-02 11:42 Wentai Deng
2024-09-02 15:56 ` Andrew Lunn
2024-09-04 6:31 ` Wentai Deng
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).