korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-12-02 08:34:20 +08:00
Code Issues Packages Projects Releases Wiki Activity
0aa6608dae
linux/drivers/net/wireless
History
Taehee Yoo bc71d8b580 virt_wifi: fix use-after-free in virt_wifi_newlink() 
When virt_wifi interface is created, virt_wifi_newlink() is called and
it calls register_netdevice().
if register_netdevice() fails, it internally would call
->priv_destructor(), which is virt_wifi_net_device_destructor() and
it frees netdev. but virt_wifi_newlink() still use netdev.
So, use-after-free would occur in virt_wifi_newlink().

Test commands:
    ip link add dummy0 type dummy
    modprobe bonding
    ip link add bonding_masters link dummy0 type virt_wifi

Splat looks like:
[  202.220554] BUG: KASAN: use-after-free in virt_wifi_newlink+0x88b/0x9a0 [virt_wifi]
[  202.221659] Read of size 8 at addr ffff888061629cb8 by task ip/852

[  202.222896] CPU: 1 PID: 852 Comm: ip Not tainted 5.4.0-rc5 #3
[  202.223765] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[  202.225073] Call Trace:
[  202.225532]  dump_stack+0x7c/0xbb
[  202.226869]  print_address_description.constprop.5+0x1be/0x360
[  202.229362]  __kasan_report+0x12a/0x16f
[  202.230714]  kasan_report+0xe/0x20
[  202.232595]  virt_wifi_newlink+0x88b/0x9a0 [virt_wifi]
[  202.233370]  __rtnl_newlink+0xb9f/0x11b0
[  202.244909]  rtnl_newlink+0x65/0x90
[ ... ]

Cc: stable@vger.kernel.org
Fixes: c7cdba31ed ("mac80211-next: rtnetlink wifi simulation device")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Link: https://lore.kernel.org/r/20191121122645.9355-1-ap420073@gmail.com
[trim stack dump a bit]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2019-11-22 13:36:25 +01:00
..
admtek adm80211: remove set but not used variables 'mem_addr' and 'io_addr' 2019-10-24 08:48:00 +03:00
ath drivers: net: Fix Kconfig indentation, continued 2019-11-21 11:54:09 -08:00
atmel drivers: net: Fix Kconfig indentation, continued 2019-11-21 11:54:09 -08:00
broadcom brcmsmac: remove unnecessary return 2019-11-15 14:23:22 +02:00
cisco airo: fix memory leaks 2019-09-03 16:39:33 +03:00
intel Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-11-16 21:51:42 -08:00
intersil net: core: add generic lockdep keys 2019-10-24 14:53:48 -07:00
marvell wireless-drivers-next patches for 5.5 2019-11-05 18:36:35 -08:00
mediatek wireless-drivers-next patches for 5.5 2019-11-05 18:36:35 -08:00
quantenna qtnfmac: add support for getting/setting transmit power 2019-11-14 17:28:53 +02:00
ralink drivers: net: Fix Kconfig indentation, continued 2019-11-21 11:54:09 -08:00
realtek rtw88: remove duplicated include from ps.c 2019-11-15 14:24:38 +02:00
rsi wireless-drivers-next patches for 5.5 2019-11-05 18:36:35 -08:00
st net/wireless: Delete unnecessary checks before the macro call “dev_kfree_skb” 2019-10-15 08:27:02 +03:00
ti drivers: net: Fix Kconfig indentation, continued 2019-11-21 11:54:09 -08:00
zydas zd1211rw: zd_usb: Use "%zu" to format size_t 2019-09-21 08:57:35 +03:00
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
mac80211_hwsim.c mac80211_hwsim: use DEFINE_DEBUGFS_ATTRIBUTE to define debugfs fops 2019-11-08 10:17:33 +01:00
mac80211_hwsim.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
Makefile
ray_cs.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 416 2019-06-05 17:37:15 +02:00
ray_cs.h
rayctl.h
rndis_wlan.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
virt_wifi.c virt_wifi: fix use-after-free in virt_wifi_newlink() 2019-11-22 13:36:25 +01:00
wl3501_cs.c wl3501_cs: remove redundant variable rc 2019-07-24 14:45:24 +03:00
wl3501.h