|
Takashi Iwai |
fcd70e |
From 81b1d548d00bcd028303c4f3150fa753b9b8aa71 Mon Sep 17 00:00:00 2001
|
|
Takashi Iwai |
fcd70e |
From: Lin Ma <linma@zju.edu.cn>
|
|
Takashi Iwai |
fcd70e |
Date: Thu, 11 Nov 2021 22:14:02 +0800
|
|
Takashi Iwai |
fcd70e |
Subject: [PATCH] hamradio: remove needs_free_netdev to avoid UAF
|
|
Takashi Iwai |
fcd70e |
Git-commit: 81b1d548d00bcd028303c4f3150fa753b9b8aa71
|
|
Takashi Iwai |
fcd70e |
Patch-mainline: v5.16-rc2
|
|
Takashi Iwai |
fcd70e |
References: CVE-2022-1195 bsc#1198029
|
|
Takashi Iwai |
fcd70e |
|
|
Takashi Iwai |
fcd70e |
The former patch "defer 6pack kfree after unregister_netdev" reorders
|
|
Takashi Iwai |
fcd70e |
the kfree of two buffer after the unregister_netdev to prevent the race
|
|
Takashi Iwai |
fcd70e |
condition. It also adds free_netdev() function in sixpack_close(), which
|
|
Takashi Iwai |
fcd70e |
is a direct copy from the similar code in mkiss_close().
|
|
Takashi Iwai |
fcd70e |
|
|
Takashi Iwai |
fcd70e |
However, in sixpack driver, the flag needs_free_netdev is set to true in
|
|
Takashi Iwai |
fcd70e |
sp_setup(), hence the unregister_netdev() will free the netdev
|
|
Takashi Iwai |
fcd70e |
automatically. Therefore, as the sp is netdev_priv, use-after-free
|
|
Takashi Iwai |
fcd70e |
occurs.
|
|
Takashi Iwai |
fcd70e |
|
|
Takashi Iwai |
fcd70e |
This patch removes the needs_free_netdev = true and just let the
|
|
Takashi Iwai |
fcd70e |
free_netdev to finish this deallocation task.
|
|
Takashi Iwai |
fcd70e |
|
|
Takashi Iwai |
fcd70e |
Fixes: 0b9111922b1f ("hamradio: defer 6pack kfree after unregister_netdev")
|
|
Takashi Iwai |
fcd70e |
Signed-off-by: Lin Ma <linma@zju.edu.cn>
|
|
Takashi Iwai |
fcd70e |
Link: https://lore.kernel.org/r/20211111141402.7551-1-linma@zju.edu.cn
|
|
Takashi Iwai |
fcd70e |
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
|
Takashi Iwai |
fcd70e |
Acked-by: Takashi Iwai <tiwai@suse.de>
|
|
Takashi Iwai |
fcd70e |
|
|
Takashi Iwai |
fcd70e |
---
|
|
Takashi Iwai |
fcd70e |
drivers/net/hamradio/6pack.c | 1 -
|
|
Takashi Iwai |
fcd70e |
1 file changed, 1 deletion(-)
|
|
Takashi Iwai |
fcd70e |
|
|
Takashi Iwai |
fcd70e |
diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
|
|
Takashi Iwai |
fcd70e |
index bfdf89e54752..8a19a06b505d 100644
|
|
Takashi Iwai |
fcd70e |
--- a/drivers/net/hamradio/6pack.c
|
|
Takashi Iwai |
fcd70e |
+++ b/drivers/net/hamradio/6pack.c
|
|
Takashi Iwai |
fcd70e |
@@ -306,7 +306,6 @@ static void sp_setup(struct net_device *dev)
|
|
Takashi Iwai |
fcd70e |
{
|
|
Takashi Iwai |
fcd70e |
/* Finish setting up the DEVICE info. */
|
|
Takashi Iwai |
fcd70e |
dev->netdev_ops = &sp_netdev_ops;
|
|
Takashi Iwai |
fcd70e |
- dev->needs_free_netdev = true;
|
|
Takashi Iwai |
fcd70e |
dev->mtu = SIXP_MTU;
|
|
Takashi Iwai |
fcd70e |
dev->hard_header_len = AX25_MAX_HEADER_LEN;
|
|
Takashi Iwai |
fcd70e |
dev->header_ops = &ax25_header_ops;
|
|
Takashi Iwai |
fcd70e |
--
|
|
Takashi Iwai |
fcd70e |
2.31.1
|
|
Takashi Iwai |
fcd70e |
|