* [PATCH] aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
@ 2024-03-05 8:20 Lee, Chun-Yi
2024-03-06 15:35 ` (subset) " Jens Axboe
0 siblings, 1 reply; 3+ messages in thread
From: Lee, Chun-Yi @ 2024-03-05 8:20 UTC (permalink / raw)
To: Justin Sanders
Cc: Jens Axboe, Pavel Emelianov, Kirill Korotaev, David S . Miller,
linux-block, linux-kernel, Chun-Yi Lee
From: Chun-Yi Lee <jlee@suse.com>
This patch is against CVE-2023-6270. The description of cve is:
A flaw was found in the ATA over Ethernet (AoE) driver in the Linux
kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on
`struct net_device`, and a use-after-free can be triggered by racing
between the free on the struct and the access through the `skbtxq`
global queue. This could lead to a denial of service condition or
potential code execution.
In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial
code is finished. But the net_device ifp will still be used in
later tx()->dev_queue_xmit() in kthread. Which means that the
dev_put(ifp) should NOT be called in the success path of skb
initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into
use-after-free because the net_device is freed.
This patch removed the dev_put(ifp) in the success path in
aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270
Fixes: 7562f876cd93 ("[NET]: Rework dev_base via list_head (v3)")
Signed-off-by: Chun-Yi Lee <jlee@suse.com>
---
drivers/block/aoe/aoecmd.c | 12 ++++++------
drivers/block/aoe/aoenet.c | 1 +
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/block/aoe/aoecmd.c b/drivers/block/aoe/aoecmd.c
index d7317425be51..cc9077b588d7 100644
--- a/drivers/block/aoe/aoecmd.c
+++ b/drivers/block/aoe/aoecmd.c
@@ -419,13 +419,16 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu
rcu_read_lock();
for_each_netdev_rcu(&init_net, ifp) {
dev_hold(ifp);
- if (!is_aoe_netif(ifp))
- goto cont;
+ if (!is_aoe_netif(ifp)) {
+ dev_put(ifp);
+ continue;
+ }
skb = new_skb(sizeof *h + sizeof *ch);
if (skb == NULL) {
printk(KERN_INFO "aoe: skb alloc failure\n");
- goto cont;
+ dev_put(ifp);
+ continue;
}
skb_put(skb, sizeof *h + sizeof *ch);
skb->dev = ifp;
@@ -440,9 +443,6 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu
h->major = cpu_to_be16(aoemajor);
h->minor = aoeminor;
h->cmd = AOECMD_CFG;
-
-cont:
- dev_put(ifp);
}
rcu_read_unlock();
}
diff --git a/drivers/block/aoe/aoenet.c b/drivers/block/aoe/aoenet.c
index c51ea95bc2ce..923a134fd766 100644
--- a/drivers/block/aoe/aoenet.c
+++ b/drivers/block/aoe/aoenet.c
@@ -63,6 +63,7 @@ tx(int id) __must_hold(&txlock)
pr_warn("aoe: packet could not be sent on %s. %s\n",
ifp ? ifp->name : "netif",
"consider increasing tx_queue_len");
+ dev_put(ifp);
spin_lock_irq(&txlock);
}
return 0;
--
2.35.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: (subset) [PATCH] aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
2024-03-05 8:20 [PATCH] aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts Lee, Chun-Yi
@ 2024-03-06 15:35 ` Jens Axboe
2024-03-07 12:40 ` joeyli
0 siblings, 1 reply; 3+ messages in thread
From: Jens Axboe @ 2024-03-06 15:35 UTC (permalink / raw)
To: Justin Sanders, Lee, Chun-Yi
Cc: Pavel Emelianov, Kirill Korotaev, David S . Miller, linux-block,
linux-kernel, Chun-Yi Lee
On Tue, 05 Mar 2024 16:20:48 +0800, Lee, Chun-Yi wrote:
> This patch is against CVE-2023-6270. The description of cve is:
>
> A flaw was found in the ATA over Ethernet (AoE) driver in the Linux
> kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on
> `struct net_device`, and a use-after-free can be triggered by racing
> between the free on the struct and the access through the `skbtxq`
> global queue. This could lead to a denial of service condition or
> potential code execution.
>
> [...]
Applied, thanks!
[1/1] aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
commit: f98364e926626c678fb4b9004b75cacf92ff0662
Best regards,
--
Jens Axboe
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: (subset) [PATCH] aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
2024-03-06 15:35 ` (subset) " Jens Axboe
@ 2024-03-07 12:40 ` joeyli
0 siblings, 0 replies; 3+ messages in thread
From: joeyli @ 2024-03-07 12:40 UTC (permalink / raw)
To: Jens Axboe
Cc: Justin Sanders, Lee, Chun-Yi, Pavel Emelianov, Kirill Korotaev,
David S . Miller, linux-block, linux-kernel
Hi Jens,
On Wed, Mar 06, 2024 at 08:35:34AM -0700, Jens Axboe wrote:
>
> On Tue, 05 Mar 2024 16:20:48 +0800, Lee, Chun-Yi wrote:
> > This patch is against CVE-2023-6270. The description of cve is:
> >
> > A flaw was found in the ATA over Ethernet (AoE) driver in the Linux
> > kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on
> > `struct net_device`, and a use-after-free can be triggered by racing
> > between the free on the struct and the access through the `skbtxq`
> > global queue. This could lead to a denial of service condition or
> > potential code execution.
> >
> > [...]
>
> Applied, thanks!
>
> [1/1] aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
> commit: f98364e926626c678fb4b9004b75cacf92ff0662
>
Thanks for your review!
Joey Lee
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-03-07 12:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-05 8:20 [PATCH] aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts Lee, Chun-Yi
2024-03-06 15:35 ` (subset) " Jens Axboe
2024-03-07 12:40 ` joeyli
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox