| Message ID | 20231117235302.79546-1-yuxuan.luo@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2023-6039 | expand |
On 18.11.23 00:52, Yuxuan Luo wrote: > [Impact] > A use-after-free flaw was found in lan78xx_disconnect in > drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx > in the Linux Kernel. This flaw allows a local attacker to crash the > system when the LAN78XX USB device detaches. > > [Backport] > The fix commit has a conflict at the netif_napi_del(&dev->napi); line, > which can be ignored since this API (introduced at ec4c7e12396b (“lan78xx: > Introduce NAPI polling support”)) is irrelevant to this fix. > > It also depends on a kernel clock function, timer_shutdown_sync(). Since > this function might be used widely in the future given it is under > include/linux directory, backporting the new kernel function is > preferred over expanding it. > > Additionally, there were some namespace conflicts when building armhf > and arm64 kernels, three commits authored by Steven Rostedt are needed > to address the issue. > > [Test] > Compile and boot tested. > > [Potential Regression] > It is not an easy task to assess the regression potential as 9 more > out-of-scope patches are introduced, proceed with caution. > > Duoming Zhou (1): > net: usb: lan78xx: reorder cleanup operations to avoid UAF bugs > > Steven Rostedt (Google) (3): > clocksource/drivers/arm_arch_timer: Do not use timer namespace for > timer_shutdown() function > clocksource/drivers/sp804: Do not use timer namespace for > timer_shutdown() function > ARM: spear: Do not use timer namespace for timer_shutdown() function > > Thomas Gleixner (7): > timers: Use del_timer_sync() even on UP > timers: Update kernel-doc for various functions > timers: Rename del_timer_sync() to timer_delete_sync() > timers: Rename del_timer() to timer_delete() > timers: Split [try_to_]del_timer[_sync]() to prepare for shutdown mode > timers: Add shutdown mechanism to the internal functions > timers: Provide timer_shutdown[_sync]() > > arch/arm/mach-spear/time.c | 8 +- > drivers/clocksource/arm_arch_timer.c | 12 +- > drivers/clocksource/timer-sp804.c | 6 +- > drivers/net/usb/lan78xx.c | 7 +- > include/linux/timer.h | 35 ++- > kernel/time/timer.c | 365 ++++++++++++++++++++------- > 6 files changed, 318 insertions(+), 115 deletions(-) > The larger change is in comments only. The rest tries from what I understand to avoid visible changes to interfaces. One nitpick maybe: is this really the order from upstream? To me this reads as the new timer_shutdown() is added first and then clashing static functions getting renamed. That would cause issues to bisect. Though probably nothing would bisect into the middle of that sequence. Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 11/21/23 03:54, Stefan Bader wrote: > On 18.11.23 00:52, Yuxuan Luo wrote: >> [Impact] >> A use-after-free flaw was found in lan78xx_disconnect in >> drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx >> in the Linux Kernel. This flaw allows a local attacker to crash the >> system when the LAN78XX USB device detaches. >> >> [Backport] >> The fix commit has a conflict at the netif_napi_del(&dev->napi); line, >> which can be ignored since this API (introduced at ec4c7e12396b >> (“lan78xx: >> Introduce NAPI polling support”)) is irrelevant to this fix. >> >> It also depends on a kernel clock function, timer_shutdown_sync(). Since >> this function might be used widely in the future given it is under >> include/linux directory, backporting the new kernel function is >> preferred over expanding it. >> >> Additionally, there were some namespace conflicts when building armhf >> and arm64 kernels, three commits authored by Steven Rostedt are needed >> to address the issue. >> >> [Test] >> Compile and boot tested. >> >> [Potential Regression] >> It is not an easy task to assess the regression potential as 9 more >> out-of-scope patches are introduced, proceed with caution. >> >> Duoming Zhou (1): >> net: usb: lan78xx: reorder cleanup operations to avoid UAF bugs >> >> Steven Rostedt (Google) (3): >> clocksource/drivers/arm_arch_timer: Do not use timer namespace for >> timer_shutdown() function >> clocksource/drivers/sp804: Do not use timer namespace for >> timer_shutdown() function >> ARM: spear: Do not use timer namespace for timer_shutdown() function >> >> Thomas Gleixner (7): >> timers: Use del_timer_sync() even on UP >> timers: Update kernel-doc for various functions >> timers: Rename del_timer_sync() to timer_delete_sync() >> timers: Rename del_timer() to timer_delete() >> timers: Split [try_to_]del_timer[_sync]() to prepare for shutdown >> mode >> timers: Add shutdown mechanism to the internal functions >> timers: Provide timer_shutdown[_sync]() >> >> arch/arm/mach-spear/time.c | 8 +- >> drivers/clocksource/arm_arch_timer.c | 12 +- >> drivers/clocksource/timer-sp804.c | 6 +- >> drivers/net/usb/lan78xx.c | 7 +- >> include/linux/timer.h | 35 ++- >> kernel/time/timer.c | 365 ++++++++++++++++++++------- >> 6 files changed, 318 insertions(+), 115 deletions(-) >> > > The larger change is in comments only. Indeed, but since it's backporting a kernel function I would prefer clean cherry pick as many as possible, so some documentation commits are included as well. > The rest tries from what I understand to avoid visible changes to > interfaces. One nitpick maybe: is this really the order from upstream? > To me this reads as the new timer_shutdown() is added first and then > clashing static functions getting renamed. That would cause issues to > bisect. Though probably nothing would bisect into the middle of that > sequence. IIRC, yes, it is the order from upstream. > > Acked-by: Stefan Bader <stefan.bader@canonical.com> >
Acked-by: Jacob Martin <jacob.martin@canonical.com> On 11/17/23 5:52 PM, Yuxuan Luo wrote: > [Impact] > A use-after-free flaw was found in lan78xx_disconnect in > drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx > in the Linux Kernel. This flaw allows a local attacker to crash the > system when the LAN78XX USB device detaches. > > [Backport] > The fix commit has a conflict at the netif_napi_del(&dev->napi); line, > which can be ignored since this API (introduced at ec4c7e12396b (“lan78xx: > Introduce NAPI polling support”)) is irrelevant to this fix. > > It also depends on a kernel clock function, timer_shutdown_sync(). Since > this function might be used widely in the future given it is under > include/linux directory, backporting the new kernel function is > preferred over expanding it. > > Additionally, there were some namespace conflicts when building armhf > and arm64 kernels, three commits authored by Steven Rostedt are needed > to address the issue. > > [Test] > Compile and boot tested. > > [Potential Regression] > It is not an easy task to assess the regression potential as 9 more > out-of-scope patches are introduced, proceed with caution. > > Duoming Zhou (1): > net: usb: lan78xx: reorder cleanup operations to avoid UAF bugs > > Steven Rostedt (Google) (3): > clocksource/drivers/arm_arch_timer: Do not use timer namespace for > timer_shutdown() function > clocksource/drivers/sp804: Do not use timer namespace for > timer_shutdown() function > ARM: spear: Do not use timer namespace for timer_shutdown() function > > Thomas Gleixner (7): > timers: Use del_timer_sync() even on UP > timers: Update kernel-doc for various functions > timers: Rename del_timer_sync() to timer_delete_sync() > timers: Rename del_timer() to timer_delete() > timers: Split [try_to_]del_timer[_sync]() to prepare for shutdown mode > timers: Add shutdown mechanism to the internal functions > timers: Provide timer_shutdown[_sync]() > > arch/arm/mach-spear/time.c | 8 +- > drivers/clocksource/arm_arch_timer.c | 12 +- > drivers/clocksource/timer-sp804.c | 6 +- > drivers/net/usb/lan78xx.c | 7 +- > include/linux/timer.h | 35 ++- > kernel/time/timer.c | 365 ++++++++++++++++++++------- > 6 files changed, 318 insertions(+), 115 deletions(-) >
On 18/11/2023 00:52, Yuxuan Luo wrote: > [Impact] > A use-after-free flaw was found in lan78xx_disconnect in > drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx > in the Linux Kernel. This flaw allows a local attacker to crash the > system when the LAN78XX USB device detaches. > > [Backport] > The fix commit has a conflict at the netif_napi_del(&dev->napi); line, > which can be ignored since this API (introduced at ec4c7e12396b (“lan78xx: > Introduce NAPI polling support”)) is irrelevant to this fix. > > It also depends on a kernel clock function, timer_shutdown_sync(). Since > this function might be used widely in the future given it is under > include/linux directory, backporting the new kernel function is > preferred over expanding it. > > Additionally, there were some namespace conflicts when building armhf > and arm64 kernels, three commits authored by Steven Rostedt are needed > to address the issue. > > [Test] > Compile and boot tested. > > [Potential Regression] > It is not an easy task to assess the regression potential as 9 more > out-of-scope patches are introduced, proceed with caution. > > Duoming Zhou (1): > net: usb: lan78xx: reorder cleanup operations to avoid UAF bugs > > Steven Rostedt (Google) (3): > clocksource/drivers/arm_arch_timer: Do not use timer namespace for > timer_shutdown() function > clocksource/drivers/sp804: Do not use timer namespace for > timer_shutdown() function > ARM: spear: Do not use timer namespace for timer_shutdown() function > > Thomas Gleixner (7): > timers: Use del_timer_sync() even on UP > timers: Update kernel-doc for various functions > timers: Rename del_timer_sync() to timer_delete_sync() > timers: Rename del_timer() to timer_delete() > timers: Split [try_to_]del_timer[_sync]() to prepare for shutdown mode > timers: Add shutdown mechanism to the internal functions > timers: Provide timer_shutdown[_sync]() > > arch/arm/mach-spear/time.c | 8 +- > drivers/clocksource/arm_arch_timer.c | 12 +- > drivers/clocksource/timer-sp804.c | 6 +- > drivers/net/usb/lan78xx.c | 7 +- > include/linux/timer.h | 35 ++- > kernel/time/timer.c | 365 ++++++++++++++++++++------- > 6 files changed, 318 insertions(+), 115 deletions(-) > Applied to jammy:master-next. Thanks! Roxana
[Impact] A use-after-free flaw was found in lan78xx_disconnect in drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx in the Linux Kernel. This flaw allows a local attacker to crash the system when the LAN78XX USB device detaches. [Backport] The fix commit has a conflict at the netif_napi_del(&dev->napi); line, which can be ignored since this API (introduced at ec4c7e12396b (“lan78xx: Introduce NAPI polling support”)) is irrelevant to this fix. It also depends on a kernel clock function, timer_shutdown_sync(). Since this function might be used widely in the future given it is under include/linux directory, backporting the new kernel function is preferred over expanding it. Additionally, there were some namespace conflicts when building armhf and arm64 kernels, three commits authored by Steven Rostedt are needed to address the issue. [Test] Compile and boot tested. [Potential Regression] It is not an easy task to assess the regression potential as 9 more out-of-scope patches are introduced, proceed with caution. Duoming Zhou (1): net: usb: lan78xx: reorder cleanup operations to avoid UAF bugs Steven Rostedt (Google) (3): clocksource/drivers/arm_arch_timer: Do not use timer namespace for timer_shutdown() function clocksource/drivers/sp804: Do not use timer namespace for timer_shutdown() function ARM: spear: Do not use timer namespace for timer_shutdown() function Thomas Gleixner (7): timers: Use del_timer_sync() even on UP timers: Update kernel-doc for various functions timers: Rename del_timer_sync() to timer_delete_sync() timers: Rename del_timer() to timer_delete() timers: Split [try_to_]del_timer[_sync]() to prepare for shutdown mode timers: Add shutdown mechanism to the internal functions timers: Provide timer_shutdown[_sync]() arch/arm/mach-spear/time.c | 8 +- drivers/clocksource/arm_arch_timer.c | 12 +- drivers/clocksource/timer-sp804.c | 6 +- drivers/net/usb/lan78xx.c | 7 +- include/linux/timer.h | 35 ++- kernel/time/timer.c | 365 ++++++++++++++++++++------- 6 files changed, 318 insertions(+), 115 deletions(-)