[BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition
Wentai Deng
wtdeng24 at m.fudan.edu.cn
Mon Sep 2 04:37:41 PDT 2024
Apologies for sending the email in the wrong format. I'll correct it and resend it shortly.
------------------ Original ------------------From: "Russell King (Oracle)"<linux at armlinux.org.uk>;Date: Mon, Sep 2, 2024 05:23 PMTo: "Wentai Deng"<wtdeng24 at m.fudan.edu.cn>; Cc: "davem"<davem at davemloft.net>; "edumazet"<edumazet at google.com>; "kuba"<kuba at kernel.org>; "pabeni"<pabeni at redhat.com>; "linux-arm-kernel"<linux-arm-kernel at lists.infradead.org>; "netdev"<netdev at vger.kernel.org>; "linux-kernel"<linux-kernel at vger.kernel.org>; "杜雪盈"<21210240012 at m.fudan.edu.cn>; Subject: Re: [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition On Mon, Sep 02, 2024 at 01:19:43PM +0800, Wentai Deng wrote:> In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows:> > > CPU0 CPU1> > > | ether3_ledoff> ether3_remove |> free_netdev(dev); |> put_device |> kfree(dev); |> | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);> | // use devThis is unreadable.> Request for Review:> > > We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system, and if the proposed fix is appropriate.Please resend without the HTML junk in the plain text part.-- *** please note that I probably will only be occasionally responsive*** for an unknown period of time due to recent eye surgery making*** reading quite difficult.RMK's Patch system: https://www.armlinux.org.uk/developer/patches/FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
More information about the linux-arm-kernel
mailing list