Re: [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition
From: Wentai Deng
Date: Mon Sep 02 2024 - 07:40:23 EST
Apologies for sending the email in the wrong format. I'll correct it and resend it shortly.
------------------ Original ------------------From: "Russell King (Oracle)"<linux@xxxxxxxxxxxxxxx>;Date: Mon, Sep 2, 2024 05:23 PMTo: "Wentai Deng"<wtdeng24@xxxxxxxxxxxxxx>; Cc: "davem"<davem@xxxxxxxxxxxxx>; "edumazet"<edumazet@xxxxxxxxxx>; "kuba"<kuba@xxxxxxxxxx>; "pabeni"<pabeni@xxxxxxxxxx>; "linux-arm-kernel"<linux-arm-kernel@xxxxxxxxxxxxxxxxxxx>; "netdev"<netdev@xxxxxxxxxxxxxxx>; "linux-kernel"<linux-kernel@xxxxxxxxxxxxxxx>; "杜雪盈"<21210240012@xxxxxxxxxxxxxx>; Subject: Re: [BUG] Possible Use-After-Free Vulnerability in ether3 Driver Due to Race Condition On Mon, Sep 02, 2024 at 01:19:43PM +0800, Wentai Deng wrote:> In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows:> > > CPU0 CPU1> > > | ether3_ledoff> ether3_remove |> free_netdev(dev); |> put_device |> kfree(dev); |> | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);> | // use devThis is unreadable.> Request for Review:> > > We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system, and if the proposed fix is appropriate.Please resend without the HTML junk in the plain text part.-- *** please note that I probably will only be occasionally responsive*** for an unknown period of time due to recent eye surgery making*** reading quite difficult.RMK's Patch system: https://www.armlinux.org.uk/developer/patches/FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!