Re: [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition

[Russell King (Oracle)]

On Mon, Sep 02, 2024 at 01:19:43PM +0800, Wentai Deng wrote:
> In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows:
> 
> 
> CPU0                            CPU1
> 
> 
>                             |   ether3_ledoff
> ether3_remove               |
>     free_netdev(dev);       |
>     put_device              |
>     kfree(dev);             |
>                             |       ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);
>                             |       // use dev

This is unreadable.

> Request for Review:
> 
> 
> We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system, and if the proposed fix is appropriate.

Please resend without the HTML junk in the plain text part.

-- 
*** please note that I probably will only be occasionally responsive
*** for an unknown period of time due to recent eye surgery making
*** reading quite difficult.

RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!