From: Willy Tarreau <w@1wt.eu>
To: netdev@vger.kernel.org
Cc: rootlab@huawei.com
Subject: Fwd: Race Condition Vulnerability in aarp_rcv of nfc module leading to UAF
Date: Sat, 7 Oct 2023 08:41:21 +0200 [thread overview]
Message-ID: <20231007064121.GY20998@1wt.eu> (raw)
Hello,
Sili Luo of Huawei sent this to the security list. Eric and I think it
does not deserve special handling from the security team and will be
better addressed here.
Regards,
Willy
PS: actually there were 8, not 6 reports for atalk in this series.
----- Forwarded message from rootlab <rootlab@huawei.com> -----
> Date: Sat, 7 Oct 2023 03:12:17 +0000
> From: rootlab <rootlab@huawei.com>
> Subject: Race Condition Vulnerability in aarp_rcv of nfc module leading to UAF
> To: "security@kernel.org" <security@kernel.org>
> Delivered-To: security@kernel.org
>
> the document format is markdown.
>
> I recently found an race condition Vulnerability in the aarp_rcv, which leads to the kernel access free'd atalk\_iface object.
>
> The vulnerability code presented below is located in Linux 6.5-rc5, and it is possible that other versions may also be affected.
>
> [Root Cause]
>
> key code of aarp_rcv:
>
> * aarp_rcv
>
> * struct atalk_iface *ifa = atalk_find_dev(dev)
>
> * return dev->atalk_ptr;
> * use ifa
>
> vuln: aarp_rcv use ifa without lock.
>
> steps to trigger bug:
>
> 1. let thread A is executed in the middle of 1 and 2
> 2. then thread B free iface via ioctl(at_fd, SIOCDIFADDR, &atreq)
> 3. Then thread A will use the free'd iface.
>
> Time
> +
> |
> thread A | thread B
> aarp_rcv | ioctl --> atalk_dev_down
> |
> |
> 1.ifa = atalk_find_dev(dev) |
> |
> |
> | 2.atif_drop_device(dev) --> free ifa
> |
> |
> // UAF! |
> 3.use ifa |
> +
>
>
> [Patch Suggestion]
>
> 1. add refcount for struct atalk_addr
> 2. Use the right lock
>
> [Proof-of-Concept]
>
> No poc yet
>
> [CREDIT]
>
> Sili Luo
> RO0T Lab of Huawei
>
----- End forwarded message -----
reply other threads:[~2023-10-07 6:41 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231007064121.GY20998@1wt.eu \
--to=w@1wt.eu \
--cc=netdev@vger.kernel.org \
--cc=rootlab@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).