From patchwork Fri Nov 17 23:53:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1865323 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SXDL34Rbqz1yS7 for ; Sat, 18 Nov 2023 10:55:23 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1r48g0-0003b2-9J; Fri, 17 Nov 2023 23:55:12 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1r48f2-0002PO-Uj for kernel-team@lists.ubuntu.com; Fri, 17 Nov 2023 23:54:09 +0000 Received: from mail-pj1-f70.google.com (mail-pj1-f70.google.com [209.85.216.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id C340D3F11F for ; Fri, 17 Nov 2023 23:54:08 +0000 (UTC) Received: by mail-pj1-f70.google.com with SMTP id 98e67ed59e1d1-28079cae9fdso3020723a91.2 for ; Fri, 17 Nov 2023 15:54:08 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700265246; x=1700870046; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rOV+BnNi62zJR/rllbgbkrTIeFMAsxv7GYVdoW7ILQk=; b=xJlkDouPoEBrRkE0/qNE5cuFNTABA4es8paIR7v83wHBuKdN3BI9k5WoiC/9Y6Qxtb wCqAl1FmdRkY+ju9pgEesJ45a+iWdNz4SV5Z11Aze6BxuQuE7vemnPqm31EhgpvQixcO 7gZN+3ms7FZjAvpGT/N6GcAyCXqGV/HgcT8cMleKL7GyjTv5q73nOSTrdizcZ80sdV7b MVDiCaJYt+fDFOk8A7keqhLFd6lyG64YKpoy2aYcST5p8m4HOQxfgv4vs8sogtM2yNGC 0MXrH32Ww4ho9dtKShxJ2jcq6vpnJx/Ql6aoKTPaaNblTGD5MAwl6jL6ZoviqfbgB2Qs rV6A== X-Gm-Message-State: AOJu0YwalYzmLE5QWVFg6MkzBTJWbwq4eNZM5cdTBj49R5c8YnHP5Ij6 ZWbmhS8Txr5Xv9tSqc9XMp5Oem2wrjFcD5gW8tCjEev5uBgatEfXInj+m+y4GUQDYDosW5iy0K2 IQGb/+dPoZpT3QhagpCg8y6iJkI1wDCstHJK80lO4QLZD5lCLfg== X-Received: by 2002:a17:902:d4c9:b0:1c6:21b4:30bb with SMTP id o9-20020a170902d4c900b001c621b430bbmr1569911plg.15.1700265246501; Fri, 17 Nov 2023 15:54:06 -0800 (PST) X-Google-Smtp-Source: AGHT+IGjyGnGvwf957XA/8BHy2yjuh/O+CrOVmgTwJYrvb9cMSLcjv17h0h4keHE/5+oHIJRh2nZUQ== X-Received: by 2002:a17:902:d4c9:b0:1c6:21b4:30bb with SMTP id o9-20020a170902d4c900b001c621b430bbmr1569902plg.15.1700265246212; Fri, 17 Nov 2023 15:54:06 -0800 (PST) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id y24-20020a170902b49800b001bb9d6b1baasm1884994plr.198.2023.11.17.15.54.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Nov 2023 15:54:05 -0800 (PST) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 11/11] net: usb: lan78xx: reorder cleanup operations to avoid UAF bugs Date: Fri, 17 Nov 2023 18:53:02 -0500 Message-Id: <20231117235302.79546-12-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231117235302.79546-1-yuxuan.luo@canonical.com> References: <20231117235302.79546-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Duoming Zhou The timer dev->stat_monitor can schedule the delayed work dev->wq and the delayed work dev->wq can also arm the dev->stat_monitor timer. When the device is detaching, the net_device will be deallocated. but the net_device private data could still be dereferenced in delayed work or timer handler. As a result, the UAF bugs will happen. One racy situation is shown below: (Thread 1) | (Thread 2) lan78xx_stat_monitor() | ... | lan78xx_disconnect() lan78xx_defer_kevent() | ... ... | cancel_delayed_work_sync(&dev->wq); schedule_delayed_work() | ... (wait some time) | free_netdev(net); //free net_device lan78xx_delayedwork() | //use net_device private data | dev-> //use | Although we use cancel_delayed_work_sync() to cancel the delayed work in lan78xx_disconnect(), it could still be scheduled in timer handler lan78xx_stat_monitor(). Another racy situation is shown below: (Thread 1) | (Thread 2) lan78xx_delayedwork | mod_timer() | lan78xx_disconnect() | cancel_delayed_work_sync() (wait some time) | if (timer_pending(&dev->stat_monitor)) | del_timer_sync(&dev->stat_monitor); lan78xx_stat_monitor() | ... lan78xx_defer_kevent() | free_netdev(net); //free //use net_device private data| dev-> //use | Although we use del_timer_sync() to delete the timer, the function timer_pending() returns 0 when the timer is activated. As a result, the del_timer_sync() will not be executed and the timer could be re-armed. In order to mitigate this bug, We use timer_shutdown_sync() to shutdown the timer and then use cancel_delayed_work_sync() to cancel the delayed work. As a result, the net_device could be deallocated safely. What's more, the dev->flags is set to EVENT_DEV_DISCONNECT in lan78xx_disconnect(). But it could still be set to EVENT_STAT_UPDATE in lan78xx_stat_monitor(). So this patch put the set_bit() behind timer_shutdown_sync(). Fixes: 77dfff5bb7e2 ("lan78xx: Fix race condition in disconnect handling") Signed-off-by: Duoming Zhou Signed-off-by: David S. Miller (backported from commit 1e7417c188d0a83fb385ba2dbe35fd2563f2b6f3) [yuxuan.luo: ignored the conflicting line introduced at ec4c7e12396b (“lan78xx: Introduce NAPI polling support”). ] CVE-2023-6039 Signed-off-by: Yuxuan Luo --- drivers/net/usb/lan78xx.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c index 5700c9d20a3e2..64f3b403116f7 100644 --- a/drivers/net/usb/lan78xx.c +++ b/drivers/net/usb/lan78xx.c @@ -3912,13 +3912,13 @@ static void lan78xx_disconnect(struct usb_interface *intf) if (!dev) return; - set_bit(EVENT_DEV_DISCONNECT, &dev->flags); - udev = interface_to_usbdev(intf); net = dev->net; unregister_netdev(net); + timer_shutdown_sync(&dev->stat_monitor); + set_bit(EVENT_DEV_DISCONNECT, &dev->flags); cancel_delayed_work_sync(&dev->wq); phydev = net->phydev; @@ -3933,9 +3933,6 @@ static void lan78xx_disconnect(struct usb_interface *intf) usb_scuttle_anchored_urbs(&dev->deferred); - if (timer_pending(&dev->stat_monitor)) - del_timer_sync(&dev->stat_monitor); - lan78xx_unbind(dev, intf); usb_kill_urb(dev->urb_intr);