[BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition

Wentai Deng wtdeng24 at m.fudan.edu.cn
Mon Sep 2 04:37:41 PDT 2024


Apologies for sending the email in the wrong format. I'll correct it and resend it shortly.

  ------------------ Original ------------------From:  "Russell King (Oracle)"<linux at armlinux.org.uk>;Date:  Mon, Sep 2, 2024 05:23 PMTo:  "Wentai Deng"<wtdeng24 at m.fudan.edu.cn>; Cc:  "davem"<davem at davemloft.net>; "edumazet"<edumazet at google.com>; "kuba"<kuba at kernel.org>; "pabeni"<pabeni at redhat.com>; "linux-arm-kernel"<linux-arm-kernel at lists.infradead.org>; "netdev"<netdev at vger.kernel.org>; "linux-kernel"<linux-kernel at vger.kernel.org>; "杜雪盈"<21210240012 at m.fudan.edu.cn>; Subject:  Re: [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition On Mon, Sep 02, 2024 at 01:19:43PM +0800, Wentai Deng wrote:> In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows:> > > CPU0                            CPU1> > >                             |   ether3_ledoff> ether3_remove               |>     free_netdev(dev);       |>     put_device              |>     kfree(dev);             |>                             |       ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);>                             |       // use devThis is unreadable.> Request for Review:> > > We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system, and if the proposed fix is appropriate.Please resend without the HTML junk in the plain text part.-- *** please note that I probably will only be occasionally responsive*** for an unknown period of time due to recent eye surgery making*** reading quite difficult.RMK's Patch system: https://www.armlinux.org.uk/developer/patches/FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!


More information about the linux-arm-kernel mailing list