cve-2024-26895
Vulnerability from cvelistv5
Published
2024-04-17 10:27
Modified
2024-12-19 08:49
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces wilc_netdev_cleanup currently triggers a KASAN warning, which can be observed on interface registration error path, or simply by removing the module/unbinding device from driver: echo spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind ================================================================== BUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc Read of size 4 at addr c54d1ce8 by task sh/86 CPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117 Hardware name: Atmel SAMA5 unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x34/0x58 dump_stack_lvl from print_report+0x154/0x500 print_report from kasan_report+0xac/0xd8 kasan_report from wilc_netdev_cleanup+0x508/0x5cc wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec wilc_bus_remove from spi_remove+0x8c/0xac spi_remove from device_release_driver_internal+0x434/0x5f8 device_release_driver_internal from unbind_store+0xbc/0x108 unbind_store from kernfs_fop_write_iter+0x398/0x584 kernfs_fop_write_iter from vfs_write+0x728/0xf88 vfs_write from ksys_write+0x110/0x1e4 ksys_write from ret_fast_syscall+0x0/0x1c [...] Allocated by task 1: kasan_save_track+0x30/0x5c __kasan_kmalloc+0x8c/0x94 __kmalloc_node+0x1cc/0x3e4 kvmalloc_node+0x48/0x180 alloc_netdev_mqs+0x68/0x11dc alloc_etherdev_mqs+0x28/0x34 wilc_netdev_ifc_init+0x34/0x8ec wilc_cfg80211_init+0x690/0x910 wilc_bus_probe+0xe0/0x4a0 spi_probe+0x158/0x1b0 really_probe+0x270/0xdf4 __driver_probe_device+0x1dc/0x580 driver_probe_device+0x60/0x140 __driver_attach+0x228/0x5d4 bus_for_each_dev+0x13c/0x1a8 bus_add_driver+0x2a0/0x608 driver_register+0x24c/0x578 do_one_initcall+0x180/0x310 kernel_init_freeable+0x424/0x484 kernel_init+0x20/0x148 ret_from_fork+0x14/0x28 Freed by task 86: kasan_save_track+0x30/0x5c kasan_save_free_info+0x38/0x58 __kasan_slab_free+0xe4/0x140 kfree+0xb0/0x238 device_release+0xc0/0x2a8 kobject_put+0x1d4/0x46c netdev_run_todo+0x8fc/0x11d0 wilc_netdev_cleanup+0x1e4/0x5cc wilc_bus_remove+0xc8/0xec spi_remove+0x8c/0xac device_release_driver_internal+0x434/0x5f8 unbind_store+0xbc/0x108 kernfs_fop_write_iter+0x398/0x584 vfs_write+0x728/0xf88 ksys_write+0x110/0x1e4 ret_fast_syscall+0x0/0x1c [...] David Mosberger-Tan initial investigation [1] showed that this use-after-free is due to netdevice unregistration during vif list traversal. When unregistering a net device, since the needs_free_netdev has been set to true during registration, the netdevice object is also freed, and as a consequence, the corresponding vif object too, since it is attached to it as private netdevice data. The next occurrence of the loop then tries to access freed vif pointer to the list to move forward in the list. Fix this use-after-free thanks to two mechanisms: - navigate in the list with list_for_each_entry_safe, which allows to safely modify the list as we go through each element. For each element, remove it from the list with list_del_rcu - make sure to wait for RCU grace period end after each vif removal to make sure it is safe to free the corresponding vif too (through unregister_netdev) Since we are in a RCU "modifier" path (not a "reader" path), and because such path is expected not to be concurrent to any other modifier (we are using the vif_mutex lock), we do not need to use RCU list API, that's why we can benefit from list_for_each_entry_safe. [1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
Impacted products
Vendor Product Version
Linux Linux Version: 5.5
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:21:05.707Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26895",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:48:12.761255Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:23.894Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/microchip/wilc1000/netdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5956f4203b6cdd0755bbdd21b45f3933c7026208",
              "status": "affected",
              "version": "8399918f3056e1033f0f4c08eab437fb38d6f22d",
              "versionType": "git"
            },
            {
              "lessThan": "fe20e3d56bc911408fc3c27a17c59e9d7885f7d1",
              "status": "affected",
              "version": "8399918f3056e1033f0f4c08eab437fb38d6f22d",
              "versionType": "git"
            },
            {
              "lessThan": "a9545af2a533739ffb64d6c9a6fec6f13e2b505f",
              "status": "affected",
              "version": "8399918f3056e1033f0f4c08eab437fb38d6f22d",
              "versionType": "git"
            },
            {
              "lessThan": "3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447",
              "status": "affected",
              "version": "8399918f3056e1033f0f4c08eab437fb38d6f22d",
              "versionType": "git"
            },
            {
              "lessThan": "24228dcf1d30c2231caa332be7d3090ac59fbfe9",
              "status": "affected",
              "version": "8399918f3056e1033f0f4c08eab437fb38d6f22d",
              "versionType": "git"
            },
            {
              "lessThan": "73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb",
              "status": "affected",
              "version": "8399918f3056e1033f0f4c08eab437fb38d6f22d",
              "versionType": "git"
            },
            {
              "lessThan": "cb5942b77c05d54310a0420cac12935e9b6aa21c",
              "status": "affected",
              "version": "8399918f3056e1033f0f4c08eab437fb38d6f22d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/microchip/wilc1000/netdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.214",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.153",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces\n\nwilc_netdev_cleanup currently triggers a KASAN warning, which can be\nobserved on interface registration error path, or simply by\nremoving the module/unbinding device from driver:\n\necho spi0.1 \u003e /sys/bus/spi/drivers/wilc1000_spi/unbind\n\n==================================================================\nBUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc\nRead of size 4 at addr c54d1ce8 by task sh/86\n\nCPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117\nHardware name: Atmel SAMA5\n unwind_backtrace from show_stack+0x18/0x1c\n show_stack from dump_stack_lvl+0x34/0x58\n dump_stack_lvl from print_report+0x154/0x500\n print_report from kasan_report+0xac/0xd8\n kasan_report from wilc_netdev_cleanup+0x508/0x5cc\n wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec\n wilc_bus_remove from spi_remove+0x8c/0xac\n spi_remove from device_release_driver_internal+0x434/0x5f8\n device_release_driver_internal from unbind_store+0xbc/0x108\n unbind_store from kernfs_fop_write_iter+0x398/0x584\n kernfs_fop_write_iter from vfs_write+0x728/0xf88\n vfs_write from ksys_write+0x110/0x1e4\n ksys_write from ret_fast_syscall+0x0/0x1c\n\n[...]\n\nAllocated by task 1:\n kasan_save_track+0x30/0x5c\n __kasan_kmalloc+0x8c/0x94\n __kmalloc_node+0x1cc/0x3e4\n kvmalloc_node+0x48/0x180\n alloc_netdev_mqs+0x68/0x11dc\n alloc_etherdev_mqs+0x28/0x34\n wilc_netdev_ifc_init+0x34/0x8ec\n wilc_cfg80211_init+0x690/0x910\n wilc_bus_probe+0xe0/0x4a0\n spi_probe+0x158/0x1b0\n really_probe+0x270/0xdf4\n __driver_probe_device+0x1dc/0x580\n driver_probe_device+0x60/0x140\n __driver_attach+0x228/0x5d4\n bus_for_each_dev+0x13c/0x1a8\n bus_add_driver+0x2a0/0x608\n driver_register+0x24c/0x578\n do_one_initcall+0x180/0x310\n kernel_init_freeable+0x424/0x484\n kernel_init+0x20/0x148\n ret_from_fork+0x14/0x28\n\nFreed by task 86:\n kasan_save_track+0x30/0x5c\n kasan_save_free_info+0x38/0x58\n __kasan_slab_free+0xe4/0x140\n kfree+0xb0/0x238\n device_release+0xc0/0x2a8\n kobject_put+0x1d4/0x46c\n netdev_run_todo+0x8fc/0x11d0\n wilc_netdev_cleanup+0x1e4/0x5cc\n wilc_bus_remove+0xc8/0xec\n spi_remove+0x8c/0xac\n device_release_driver_internal+0x434/0x5f8\n unbind_store+0xbc/0x108\n kernfs_fop_write_iter+0x398/0x584\n vfs_write+0x728/0xf88\n ksys_write+0x110/0x1e4\n ret_fast_syscall+0x0/0x1c\n [...]\n\nDavid Mosberger-Tan initial investigation [1] showed that this\nuse-after-free is due to netdevice unregistration during vif list\ntraversal. When unregistering a net device, since the needs_free_netdev has\nbeen set to true during registration, the netdevice object is also freed,\nand as a consequence, the corresponding vif object too, since it is\nattached to it as private netdevice data. The next occurrence of the loop\nthen tries to access freed vif pointer to the list to move forward in the\nlist.\n\nFix this use-after-free thanks to two mechanisms:\n- navigate in the list with list_for_each_entry_safe, which allows to\n  safely modify the list as we go through each element. For each element,\n  remove it from the list with list_del_rcu\n- make sure to wait for RCU grace period end after each vif removal to make\n  sure it is safe to free the corresponding vif too (through\n  unregister_netdev)\n\nSince we are in a RCU \"modifier\" path (not a \"reader\" path), and because\nsuch path is expected not to be concurrent to any other modifier (we are\nusing the vif_mutex lock), we do not need to use RCU list API, that\u0027s why\nwe can benefit from list_for_each_entry_safe.\n\n[1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:49:41.819Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447"
        },
        {
          "url": "https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9"
        },
        {
          "url": "https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c"
        }
      ],
      "title": "wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26895",
    "datePublished": "2024-04-17T10:27:46.585Z",
    "dateReserved": "2024-02-19T14:20:24.186Z",
    "dateUpdated": "2024-12-19T08:49:41.819Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26895\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-17T11:15:10.677\",\"lastModified\":\"2024-11-21T09:03:19.490\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces\\n\\nwilc_netdev_cleanup currently triggers a KASAN warning, which can be\\nobserved on interface registration error path, or simply by\\nremoving the module/unbinding device from driver:\\n\\necho spi0.1 \u003e /sys/bus/spi/drivers/wilc1000_spi/unbind\\n\\n==================================================================\\nBUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc\\nRead of size 4 at addr c54d1ce8 by task sh/86\\n\\nCPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117\\nHardware name: Atmel SAMA5\\n unwind_backtrace from show_stack+0x18/0x1c\\n show_stack from dump_stack_lvl+0x34/0x58\\n dump_stack_lvl from print_report+0x154/0x500\\n print_report from kasan_report+0xac/0xd8\\n kasan_report from wilc_netdev_cleanup+0x508/0x5cc\\n wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec\\n wilc_bus_remove from spi_remove+0x8c/0xac\\n spi_remove from device_release_driver_internal+0x434/0x5f8\\n device_release_driver_internal from unbind_store+0xbc/0x108\\n unbind_store from kernfs_fop_write_iter+0x398/0x584\\n kernfs_fop_write_iter from vfs_write+0x728/0xf88\\n vfs_write from ksys_write+0x110/0x1e4\\n ksys_write from ret_fast_syscall+0x0/0x1c\\n\\n[...]\\n\\nAllocated by task 1:\\n kasan_save_track+0x30/0x5c\\n __kasan_kmalloc+0x8c/0x94\\n __kmalloc_node+0x1cc/0x3e4\\n kvmalloc_node+0x48/0x180\\n alloc_netdev_mqs+0x68/0x11dc\\n alloc_etherdev_mqs+0x28/0x34\\n wilc_netdev_ifc_init+0x34/0x8ec\\n wilc_cfg80211_init+0x690/0x910\\n wilc_bus_probe+0xe0/0x4a0\\n spi_probe+0x158/0x1b0\\n really_probe+0x270/0xdf4\\n __driver_probe_device+0x1dc/0x580\\n driver_probe_device+0x60/0x140\\n __driver_attach+0x228/0x5d4\\n bus_for_each_dev+0x13c/0x1a8\\n bus_add_driver+0x2a0/0x608\\n driver_register+0x24c/0x578\\n do_one_initcall+0x180/0x310\\n kernel_init_freeable+0x424/0x484\\n kernel_init+0x20/0x148\\n ret_from_fork+0x14/0x28\\n\\nFreed by task 86:\\n kasan_save_track+0x30/0x5c\\n kasan_save_free_info+0x38/0x58\\n __kasan_slab_free+0xe4/0x140\\n kfree+0xb0/0x238\\n device_release+0xc0/0x2a8\\n kobject_put+0x1d4/0x46c\\n netdev_run_todo+0x8fc/0x11d0\\n wilc_netdev_cleanup+0x1e4/0x5cc\\n wilc_bus_remove+0xc8/0xec\\n spi_remove+0x8c/0xac\\n device_release_driver_internal+0x434/0x5f8\\n unbind_store+0xbc/0x108\\n kernfs_fop_write_iter+0x398/0x584\\n vfs_write+0x728/0xf88\\n ksys_write+0x110/0x1e4\\n ret_fast_syscall+0x0/0x1c\\n [...]\\n\\nDavid Mosberger-Tan initial investigation [1] showed that this\\nuse-after-free is due to netdevice unregistration during vif list\\ntraversal. When unregistering a net device, since the needs_free_netdev has\\nbeen set to true during registration, the netdevice object is also freed,\\nand as a consequence, the corresponding vif object too, since it is\\nattached to it as private netdevice data. The next occurrence of the loop\\nthen tries to access freed vif pointer to the list to move forward in the\\nlist.\\n\\nFix this use-after-free thanks to two mechanisms:\\n- navigate in the list with list_for_each_entry_safe, which allows to\\n  safely modify the list as we go through each element. For each element,\\n  remove it from the list with list_del_rcu\\n- make sure to wait for RCU grace period end after each vif removal to make\\n  sure it is safe to free the corresponding vif too (through\\n  unregister_netdev)\\n\\nSince we are in a RCU \\\"modifier\\\" path (not a \\\"reader\\\" path), and because\\nsuch path is expected not to be concurrent to any other modifier (we are\\nusing the vif_mutex lock), we do not need to use RCU list API, that\u0027s why\\nwe can benefit from list_for_each_entry_safe.\\n\\n[1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: wilc1000: evita el use-after-free en vif al limpiar todas las interfaces wilc_netdev_cleanup activa actualmente una advertencia KASAN, que se puede observar en la ruta del error de registro de la interfaz, o simplemente eliminando el m\u00f3dulo/dispositivo de desvinculaci\u00f3n del controlador: echo spi0.1 \u0026gt; /sys/bus/spi/drivers/wilc1000_spi/unbind ========================== ========================================= ERROR: KASAN: uso de losa despu\u00e9s -free en wilc_netdev_cleanup+0x508/0x5cc Lectura de tama\u00f1o 4 en addr c54d1ce8 por tarea sh/86 CPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117 Nombre de hardware: Atmel SAMA5 unwind_backtrace from show_stack+0x18/0x1c show_stack de dump_stack_lvl+0x34/0x58 dump_stack_lvl de print_report+0x154/0x500 print_report de kasan_report+0xac/0xd8 kasan_report de wilc_netdev_cleanup+0x508/0x5cc wilc_netdev_cleanup de wilc_bus_remove+0xc8/0xec wilc_bus_remove de spi_remove+0x8c/0xac spi_remove de dispositivo_release_driver_internal+0x434/0x5f8 dispositivo_release_driver_internal de unbind_store+0xbc/0x108 unbind_store de kernfs_fop_write_iter+0x398/0x584 kernfs_fop_write_iter de vfs_write+0x728/0xf88 vfs_write de ksys_write+0x110/0x1e4 ksys_write de ret_fast_syscall+0x0/0 x1c [...] Asignado por la tarea 1: kasan_save_track+0x30/0x5c __kasan_kmalloc +0x8c/0x94 __kmalloc_node+0x1cc/0x3e4 kvmalloc_node+0x48/0x180 alloc_netdev_mqs+0x68/0x11dc alloc_etherdev_mqs+0x28/0x34 wilc_netdev_ifc_init+0x34/0x8ec wilc_cfg80211 _init+0x690/0x910 wilc_bus_probe+0xe0/0x4a0 spi_probe+0x158/0x1b0 Actually_probe+0x270/0xdf4 __driver_probe_device +0x1dc/0x580 driver_probe_device+0x60/0x140 __driver_attach+0x228/0x5d4 bus_for_each_dev+0x13c/0x1a8 bus_add_driver+0x2a0/0x608 driver_register+0x24c/0x578 do_one_initcall+0x180/0x310 kernel _init_freeable+0x424/0x484 kernel_init+0x20/0x148 ret_from_fork+0x14/0x28 Liberado por tarea 86: kasan_save_track+0x30/0x5c kasan_save_free_info+0x38/0x58 __kasan_slab_free+0xe4/0x140 kfree+0xb0/0x238 device_release+0xc0/0x2a8 kobject_put+0x1d4/0x46c netdev_run_todo+0x8fc/0x11 d0 wilc_netdev_cleanup+0x1e4/0x5cc wilc_bus_remove+0xc8/0xec spi_remove +0x8c/0xac dispositivo_release_driver_internal+0x434/0x5f8 unbind_store+0xbc/0x108 kernfs_fop_write_iter+0x398/0x584 vfs_write+0x728/0xf88 ksys_write+0x110/0x1e4 ret_fast_syscall+0x0/0x1c [...] La investigaci\u00f3n inicial de David Mosberger-Tan [1] mostr\u00f3 que Este use-after-free se debe a la cancelaci\u00f3n del registro del dispositivo de red durante el recorrido de la lista vif. Al cancelar el registro de un dispositivo de red, dado que need_free_netdev se configur\u00f3 en verdadero durante el registro, el objeto netdevice tambi\u00e9n se libera y, como consecuencia, tambi\u00e9n el objeto vif correspondiente, ya que est\u00e1 adjunto a \u00e9l como datos privados del dispositivo de red. La siguiente aparici\u00f3n del bucle intenta acceder al puntero vif liberado a la lista para avanzar en la lista. Solucionar este use-after-free gracias a dos mecanismos: - navegar en la lista con list_for_each_entry_safe, que permite modificar de forma segura la lista a medida que avanzamos por cada elemento. Para cada elemento, elim\u00ednelo de la lista con list_del_rcu; aseg\u00farese de esperar a que finalice el per\u00edodo de gracia de RCU despu\u00e9s de cada eliminaci\u00f3n de vif para asegurarse de que tambi\u00e9n sea seguro liberar el vif correspondiente (a trav\u00e9s de unregister_netdev). Ya que estamos en un \\\"modificador\\\" de RCU. ruta (no una ruta de \\\"lector\\\"), y debido a que se espera que dicha ruta no sea concurrente con ning\u00fan otro modificador (estamos usando el bloqueo vif_mutex), no necesitamos usar la API de lista RCU, es por eso que podemos beneficiarnos de list_for_each_entry_safe . [1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.