From: Hagar Hemdan <hagarhem@amazon.com>
Cc: <stable@vger.kernel.org>, Jeongjun Park <aha310510@gmail.com>,
"Jakub Kicinski" <kuba@kernel.org>,
Hagar Hemdan <hagarhem@amazon.com>
Subject: [PATCH 5.4] net/xen-netback: prevent UAF in xenvif_flush_hash()
Date: Wed, 22 Jan 2025 17:43:44 +0000 [thread overview]
Message-ID: <20250122174344.10000-2-hagarhem@amazon.com> (raw)
In-Reply-To: <20250122174344.10000-1-hagarhem@amazon.com>
From: Jeongjun Park <aha310510@gmail.com>
commit 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12 upstream.
During the list_for_each_entry_rcu iteration call of xenvif_flush_hash,
kfree_rcu does not exist inside the rcu read critical section, so if
kfree_rcu is called when the rcu grace period ends during the iteration,
UAF occurs when accessing head->next after the entry becomes free.
Therefore, to solve this, you need to change it to list_for_each_entry_safe.
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Link: https://patch.msgid.link/20240822181109.2577354-1-aha310510@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
---
This is the main fix for CVE-2024-49936.
diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c
--- a/drivers/net/xen-netback/hash.c
+++ b/drivers/net/xen-netback/hash.c
@@ -95,7 +95,7 @@ static u32 xenvif_new_hash(struct xenvif *vif, const u8 *data,
static void xenvif_flush_hash(struct xenvif *vif)
{
- struct xenvif_hash_cache_entry *entry;
+ struct xenvif_hash_cache_entry *entry, *n;
unsigned long flags;
if (xenvif_hash_cache_size == 0)
@@ -103,8 +103,7 @@ static void xenvif_flush_hash(struct xenvif *vif)
spin_lock_irqsave(&vif->hash.cache.lock, flags);
- list_for_each_entry_rcu(entry, &vif->hash.cache.list, link,
- lockdep_is_held(&vif->hash.cache.lock)) {
+ list_for_each_entry_safe(entry, n, &vif->hash.cache.list, link) {
list_del_rcu(&entry->link);
vif->hash.cache.count--;
kfree_rcu(entry, rcu);
next prev parent reply other threads:[~2025-01-22 17:44 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-22 17:43 [PATCH 5.4] net: xen-netback: hash.c: Use built-in RCU list checking Hagar Hemdan
2025-01-22 17:43 ` Hagar Hemdan [this message]
2025-01-22 22:38 ` [PATCH 5.4] net/xen-netback: prevent UAF in xenvif_flush_hash() Sasha Levin
2025-01-22 22:38 ` [PATCH 5.4] net: xen-netback: hash.c: Use built-in RCU list checking Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250122174344.10000-2-hagarhem@amazon.com \
--to=hagarhem@amazon.com \
--cc=aha310510@gmail.com \
--cc=kuba@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox