netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Fwd: Race Condition Vulnerability in aarp_rcv of nfc module leading to UAF
@ 2023-10-07  6:41 Willy Tarreau
  0 siblings, 0 replies; only message in thread
From: Willy Tarreau @ 2023-10-07  6:41 UTC (permalink / raw)
  To: netdev; +Cc: rootlab

Hello,

Sili Luo of Huawei sent this to the security list. Eric and I think it
does not deserve special handling from the security team and will be
better addressed here.

Regards,
Willy

PS: actually there were 8, not 6 reports for atalk in this series.

----- Forwarded message from rootlab <rootlab@huawei.com> -----

> Date: Sat, 7 Oct 2023 03:12:17 +0000
> From: rootlab <rootlab@huawei.com>
> Subject: Race Condition Vulnerability in aarp_rcv of nfc module leading to UAF
> To: "security@kernel.org" <security@kernel.org>
> Delivered-To: security@kernel.org
> 
> the document format is markdown.
> 
> I recently found an race condition Vulnerability in the aarp_rcv, which leads to the kernel access free'd atalk\_iface object.
> 
> The vulnerability code presented below is located in Linux 6.5-rc5, and it is possible that other versions may also be affected.
> 
> [Root Cause]
> 
> key code of aarp_rcv:
> 
>   *   aarp_rcv
> 
>      *   struct atalk_iface *ifa = atalk_find_dev(dev)
> 
>         *   return dev->atalk_ptr;
>      *   use ifa
> 
> vuln: aarp_rcv use ifa without lock.
> 
> steps to trigger bug:
> 
>   1.  let thread A is executed in the middle of 1 and 2
>   2.  then thread B free iface via ioctl(at_fd, SIOCDIFADDR, &atreq)
>   3.  Then thread A will use the free'd iface.
> 
>                                                   Time
>                                                    +
>                                                    |
> thread A                                           |  thread B
> aarp_rcv                                           |  ioctl --> atalk_dev_down
>                                                    |
>                                                    |
>   1.ifa = atalk_find_dev(dev)                      |
>                                                    |
>                                                    |
>                                                    |     2.atif_drop_device(dev)  --> free ifa
>                                                    |
>                                                    |
>     // UAF!                                        |
>   3.use ifa                                        |
>                                                    +
> 
> 
> [Patch Suggestion]
> 
>   1.  add refcount for struct atalk_addr
>   2.  Use the right lock
> 
> [Proof-of-Concept]
> 
> No poc yet
> 
> [CREDIT]
> 
> Sili Luo
> RO0T Lab of Huawei
> 

----- End forwarded message -----

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2023-10-07  6:41 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-07  6:41 Fwd: Race Condition Vulnerability in aarp_rcv of nfc module leading to UAF Willy Tarreau

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).