Message ID | 20220818090621.106094-1-duoming@zju.edu.cn (mailing list archive) |
---|---|
State | Accepted |
Commit | f1e941dbf80a9b8bab0bffbc4cbe41cc7f4c6fb6 |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [net] nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout | expand |
Hello: This patch was applied to netdev/net.git (master) by David S. Miller <davem@davemloft.net>: On Thu, 18 Aug 2022 17:06:21 +0800 you wrote: > When the pn532 uart device is detaching, the pn532_uart_remove() > is called. But there are no functions in pn532_uart_remove() that > could delete the cmd_timeout timer, which will cause use-after-free > bugs. The process is shown below: > > (thread 1) | (thread 2) > | pn532_uart_send_frame > pn532_uart_remove | mod_timer(&pn532->cmd_timeout,...) > ... | (wait a time) > kfree(pn532) //FREE | pn532_cmd_timeout > | pn532_uart_send_frame > | pn532->... //USE > > [...] Here is the summary with links: - [net] nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout https://git.kernel.org/netdev/net/c/f1e941dbf80a You are awesome, thank you!
diff --git a/drivers/nfc/pn533/uart.c b/drivers/nfc/pn533/uart.c index 2caf997f9bc..07596bf5f7d 100644 --- a/drivers/nfc/pn533/uart.c +++ b/drivers/nfc/pn533/uart.c @@ -310,6 +310,7 @@ static void pn532_uart_remove(struct serdev_device *serdev) pn53x_unregister_nfc(pn532->priv); serdev_device_close(serdev); pn53x_common_clean(pn532->priv); + del_timer_sync(&pn532->cmd_timeout); kfree_skb(pn532->recv_skb); kfree(pn532); }
When the pn532 uart device is detaching, the pn532_uart_remove() is called. But there are no functions in pn532_uart_remove() that could delete the cmd_timeout timer, which will cause use-after-free bugs. The process is shown below: (thread 1) | (thread 2) | pn532_uart_send_frame pn532_uart_remove | mod_timer(&pn532->cmd_timeout,...) ... | (wait a time) kfree(pn532) //FREE | pn532_cmd_timeout | pn532_uart_send_frame | pn532->... //USE This patch adds del_timer_sync() in pn532_uart_remove() in order to prevent the use-after-free bugs. What's more, the pn53x_unregister_nfc() is well synchronized, it sets nfc_dev->shutting_down to true and there are no syscalls could restart the cmd_timeout timer. Fixes: c656aa4c27b1 ("nfc: pn533: add UART phy driver") Signed-off-by: Duoming Zhou <duoming@zju.edu.cn> --- drivers/nfc/pn533/uart.c | 1 + 1 file changed, 1 insertion(+)