Re: [PATCH] net: davicom: fix UAF in dm9000_drv_remove
From: Paolo Abeni
Date: Thu Jan 23 2025 - 04:56:57 EST
On 1/21/25 9:04 PM, Chenyuan Yang wrote:
> On Mon, Jan 20, 2025 at 11:33 PM Uwe Kleine-König
> <u.kleine-koenig@xxxxxxxxxxxx> wrote:
>> On Mon, Jan 20, 2025 at 04:25:57PM -0600, Chenyuan Yang wrote:
>>> dm is netdev private data and it cannot be
>>> used after free_netdev() call. Using adpt after free_netdev()
>>
>> What is adpt?
>
> This should be "dm".
>
>>> can cause UAF bug. Fix it by moving free_netdev() at the end of the
>>> function.
>>
>> "can cause"? Doesn't that trigger reliable?
>>
>> How did you find that issue? Did this actually trigger for you, or is it
>> a static checker that found it? Please mention that in the commit log.
>
> This is detected by our static checker. Thus, we don't have a
> test-case to trigger it stably.
> Basically, it has the buggy pattern as the commit mentioned below.
>
>>> This is similar to the issue fixed in commit
>>> ad297cd2db8953e2202970e9504cab247b6c7cb4 ("net: qcom/emac: fix UAF in emac_remove").
>>
>> Please shorten the commit id, typically to 12 chars as you did in the
>> Fixes line below.
>
> Sure! Should I send a Patch v2 for this commit?
Please do! while at it, please also include the target tree ('net') in
the subj prefix.
Thanks,
Paolo