net: usb: lan78xx: reorder cleanup operations to avoid UAF bugs

PlaidCat · PlaidCat · commit 11b3f5e3e3e9 · 2024-10-03T18:03:38.000-04:00
jira LE-1907 Rebuild_History Non-Buildable kernel-5.14.0-427.37.1.el9_4 commit-author Duoming Zhou <duoming@zju.edu.cn> commit 1e7417c Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-427.37.1.el9_4/1e7417c1.failed The timer dev->stat_monitor can schedule the delayed work dev->wq and the delayed work dev->wq can also arm the dev->stat_monitor timer. When the device is detaching, the net_device will be deallocated. but the net_device private data could still be dereferenced in delayed work or timer handler. As a result, the UAF bugs will happen. One racy situation is shown below: (Thread 1) | (Thread 2) lan78xx_stat_monitor() | ... | lan78xx_disconnect() lan78xx_defer_kevent() | ... ... | cancel_delayed_work_sync(&dev->wq); schedule_delayed_work() | ... (wait some time) | free_netdev(net); //free net_device lan78xx_delayedwork() | //use net_device private data | dev-> //use | Although we use cancel_delayed_work_sync() to cancel the delayed work in lan78xx_disconnect(), it could still be scheduled in timer handler lan78xx_stat_monitor(). Another racy situation is shown below: (Thread 1) | (Thread 2) lan78xx_delayedwork | mod_timer() | lan78xx_disconnect() | cancel_delayed_work_sync() (wait some time) | if (timer_pending(&dev->stat_monitor)) | del_timer_sync(&dev->stat_monitor); lan78xx_stat_monitor() | ... lan78xx_defer_kevent() | free_netdev(net); //free //use net_device private data| dev-> //use | Although we use del_timer_sync() to delete the timer, the function timer_pending() returns 0 when the timer is activated. As a result, the del_timer_sync() will not be executed and the timer could be re-armed. In order to mitigate this bug, We use timer_shutdown_sync() to shutdown the timer and then use cancel_delayed_work_sync() to cancel the delayed work. As a result, the net_device could be deallocated safely. What's more, the dev->flags is set to EVENT_DEV_DISCONNECT in lan78xx_disconnect(). But it could still be set to EVENT_STAT_UPDATE in lan78xx_stat_monitor(). So this patch put the set_bit() behind timer_shutdown_sync(). Fixes: 77dfff5 ("lan78xx: Fix race condition in disconnect handling") Signed-off-by: Duoming Zhou <duoming@zju.edu.cn> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 1e7417c) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # drivers/net/usb/lan78xx.c
diff --git a/ciq/ciq_backports/kernel-5.14.0-427.37.1.el9_4/1e7417c1.failed b/ciq/ciq_backports/kernel-5.14.0-427.37.1.el9_4/1e7417c1.failed
@@ -0,0 +1,101 @@
+net: usb: lan78xx: reorder cleanup operations to avoid UAF bugs
+
+jira LE-1907
+Rebuild_History Non-Buildable kernel-5.14.0-427.37.1.el9_4
+commit-author Duoming Zhou <duoming@zju.edu.cn>
+commit 1e7417c188d0a83fb385ba2dbe35fd2563f2b6f3
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-427.37.1.el9_4/1e7417c1.failed
+
+The timer dev->stat_monitor can schedule the delayed work dev->wq and
+the delayed work dev->wq can also arm the dev->stat_monitor timer.
+
+When the device is detaching, the net_device will be deallocated. but
+the net_device private data could still be dereferenced in delayed work
+or timer handler. As a result, the UAF bugs will happen.
+
+One racy situation is shown below:
+
+      (Thread 1)                 |      (Thread 2)
+lan78xx_stat_monitor()           |
+ ...                             |  lan78xx_disconnect()
+ lan78xx_defer_kevent()          |    ...
+  ...                            |    cancel_delayed_work_sync(&dev->wq);
+  schedule_delayed_work()        |    ...
+  (wait some time)               |    free_netdev(net); //free net_device
+  lan78xx_delayedwork()          |
+  //use net_device private data  |
+  dev-> //use                    |
+
+Although we use cancel_delayed_work_sync() to cancel the delayed work
+in lan78xx_disconnect(), it could still be scheduled in timer handler
+lan78xx_stat_monitor().
+
+Another racy situation is shown below:
+
+      (Thread 1)                |      (Thread 2)
+lan78xx_delayedwork             |
+ mod_timer()                    |  lan78xx_disconnect()
+                                |   cancel_delayed_work_sync()
+ (wait some time)               |   if (timer_pending(&dev->stat_monitor))
+             	                |       del_timer_sync(&dev->stat_monitor);
+ lan78xx_stat_monitor()         |   ...
+  lan78xx_defer_kevent()        |   free_netdev(net); //free
+   //use net_device private data|
+   dev-> //use                  |
+
+Although we use del_timer_sync() to delete the timer, the function
+timer_pending() returns 0 when the timer is activated. As a result,
+the del_timer_sync() will not be executed and the timer could be
+re-armed.
+
+In order to mitigate this bug, We use timer_shutdown_sync() to shutdown
+the timer and then use cancel_delayed_work_sync() to cancel the delayed
+work. As a result, the net_device could be deallocated safely.
+
+What's more, the dev->flags is set to EVENT_DEV_DISCONNECT in
+lan78xx_disconnect(). But it could still be set to EVENT_STAT_UPDATE
+in lan78xx_stat_monitor(). So this patch put the set_bit() behind
+timer_shutdown_sync().
+
+Fixes: 77dfff5bb7e2 ("lan78xx: Fix race condition in disconnect handling")
+	Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+	Signed-off-by: David S. Miller <davem@davemloft.net>
+(cherry picked from commit 1e7417c188d0a83fb385ba2dbe35fd2563f2b6f3)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	drivers/net/usb/lan78xx.c
+diff --cc drivers/net/usb/lan78xx.c
+index b75e97330f79,59cde06aa7f6..000000000000
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@@ -3910,7 -4224,7 +3910,11 @@@ static void lan78xx_disconnect(struct u
+  	if (!dev)
+  		return;
+  
+++<<<<<<< HEAD
+ +	set_bit(EVENT_DEV_DISCONNECT, &dev->flags);
+++=======
++ 	netif_napi_del(&dev->napi);
+++>>>>>>> 1e7417c188d0 (net: usb: lan78xx: reorder cleanup operations to avoid UAF bugs)
+  
+  	udev = interface_to_usbdev(intf);
+  	net = dev->net;
+@@@ -3931,11 -4247,11 +3937,8 @@@
+  
+  	usb_scuttle_anchored_urbs(&dev->deferred);
+  
+- 	if (timer_pending(&dev->stat_monitor))
+- 		del_timer_sync(&dev->stat_monitor);
+- 
+  	lan78xx_unbind(dev, intf);
+  
+ -	lan78xx_free_tx_resources(dev);
+ -	lan78xx_free_rx_resources(dev);
+ -
+  	usb_kill_urb(dev->urb_intr);
+  	usb_free_urb(dev->urb_intr);
+  
+* Unmerged path drivers/net/usb/lan78xx.c
