aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts

Commit Message

Lee, Chun-Yi March 5, 2024, 8:20 a.m. UTC

From: Chun-Yi Lee <jlee@suse.com>

This patch is against CVE-2023-6270. The description of cve is:

  A flaw was found in the ATA over Ethernet (AoE) driver in the Linux
  kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on
  `struct net_device`, and a use-after-free can be triggered by racing
  between the free on the struct and the access through the `skbtxq`
  global queue. This could lead to a denial of service condition or
  potential code execution.

In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial
code is finished. But the net_device ifp will still be used in
later tx()->dev_queue_xmit() in kthread. Which means that the
dev_put(ifp) should NOT be called in the success path of skb
initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into
use-after-free because the net_device is freed.

This patch removed the dev_put(ifp) in the success path in
aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().

Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270
Fixes: 7562f876cd93 ("[NET]: Rework dev_base via list_head (v3)")
Signed-off-by: Chun-Yi Lee <jlee@suse.com>
---
 drivers/block/aoe/aoecmd.c | 12 ++++++------
 drivers/block/aoe/aoenet.c |  1 +
 2 files changed, 7 insertions(+), 6 deletions(-)

Comments

Jens Axboe March 6, 2024, 3:35 p.m. UTC | #1

On Tue, 05 Mar 2024 16:20:48 +0800, Lee, Chun-Yi wrote:
> This patch is against CVE-2023-6270. The description of cve is:
> 
>   A flaw was found in the ATA over Ethernet (AoE) driver in the Linux
>   kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on
>   `struct net_device`, and a use-after-free can be triggered by racing
>   between the free on the struct and the access through the `skbtxq`
>   global queue. This could lead to a denial of service condition or
>   potential code execution.
> 
> [...]

Applied, thanks!

[1/1] aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
      commit: f98364e926626c678fb4b9004b75cacf92ff0662

Best regards,

joeyli March 7, 2024, 12:40 p.m. UTC | #2

Hi Jens,

On Wed, Mar 06, 2024 at 08:35:34AM -0700, Jens Axboe wrote:
> 
> On Tue, 05 Mar 2024 16:20:48 +0800, Lee, Chun-Yi wrote:
> > This patch is against CVE-2023-6270. The description of cve is:
> > 
> >   A flaw was found in the ATA over Ethernet (AoE) driver in the Linux
> >   kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on
> >   `struct net_device`, and a use-after-free can be triggered by racing
> >   between the free on the struct and the access through the `skbtxq`
> >   global queue. This could lead to a denial of service condition or
> >   potential code execution.
> > 
> > [...]
> 
> Applied, thanks!
> 
> [1/1] aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
>       commit: f98364e926626c678fb4b9004b75cacf92ff0662
> 

Thanks for your review!

Joey Lee

Patch

diff --git a/drivers/block/aoe/aoecmd.c b/drivers/block/aoe/aoecmd.c
index d7317425be51..cc9077b588d7 100644
--- a/drivers/block/aoe/aoecmd.c
+++ b/drivers/block/aoe/aoecmd.c
@@ -419,13 +419,16 @@  aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu
 	rcu_read_lock();
 	for_each_netdev_rcu(&init_net, ifp) {
 		dev_hold(ifp);
-		if (!is_aoe_netif(ifp))
-			goto cont;
+		if (!is_aoe_netif(ifp)) {
+			dev_put(ifp);
+			continue;
+		}
 
 		skb = new_skb(sizeof *h + sizeof *ch);
 		if (skb == NULL) {
 			printk(KERN_INFO "aoe: skb alloc failure\n");
-			goto cont;
+			dev_put(ifp);
+			continue;
 		}
 		skb_put(skb, sizeof *h + sizeof *ch);
 		skb->dev = ifp;
@@ -440,9 +443,6 @@  aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu
 		h->major = cpu_to_be16(aoemajor);
 		h->minor = aoeminor;
 		h->cmd = AOECMD_CFG;
-
-cont:
-		dev_put(ifp);
 	}
 	rcu_read_unlock();
 }
diff --git a/drivers/block/aoe/aoenet.c b/drivers/block/aoe/aoenet.c
index c51ea95bc2ce..923a134fd766 100644
--- a/drivers/block/aoe/aoenet.c
+++ b/drivers/block/aoe/aoenet.c
@@ -63,6 +63,7 @@  tx(int id) __must_hold(&txlock)
 			pr_warn("aoe: packet could not be sent on %s.  %s\n",
 				ifp ? ifp->name : "netif",
 				"consider increasing tx_queue_len");
+		dev_put(ifp);
 		spin_lock_irq(&txlock);
 	}
 	return 0;