diff mbox series

[net] net: ravb: Fix possible UAF bug in ravb_remove

Message ID 20230309100248.3831498-1-zyytlz.wz@163.com (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series [net] net: ravb: Fix possible UAF bug in ravb_remove | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 20 this patch: 20
netdev/cc_maintainers fail 2 blamed authors not CCed: mitsuhiro.kimura.kc@renesas.com sergei.shtylyov@cogentembedded.com; 5 maintainers not CCed: linux-renesas-soc@vger.kernel.org sergei.shtylyov@cogentembedded.com biju.das.jz@bp.renesas.com mitsuhiro.kimura.kc@renesas.com phil.edworthy@renesas.com
netdev/build_clang success Errors and warnings before: 18 this patch: 18
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 20 this patch: 20
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 7 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Zheng Wang March 9, 2023, 10:02 a.m. UTC 
In ravb_probe, priv->work was bound with ravb_tx_timeout_work.
If timeout occurs, it will start the work. And if we call
ravb_remove without finishing the work, ther may be a use
after free bug on ndev.

Fix it by finishing the job before cleanup in ravb_remove.

Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
 drivers/net/ethernet/renesas/ravb_main.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Sergey Shtylyov March 9, 2023, 3:47 p.m. UTC | #1 
Hello!

On 3/9/23 1:02 PM, Zheng Wang wrote:

> In ravb_probe, priv->work was bound with ravb_tx_timeout_work.
> If timeout occurs, it will start the work. And if we call
> ravb_remove without finishing the work, ther may be a use
> after free bug on ndev.

   Have you actually encountered it?

> Fix it by finishing the job before cleanup in ravb_remove.
> 
> Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")

   Hm... sorry about that. :-)

> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>

Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>

[...]
> diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
> index 0f54849a3823..07a08e72f440 100644
> --- a/drivers/net/ethernet/renesas/ravb_main.c
> +++ b/drivers/net/ethernet/renesas/ravb_main.c
> @@ -2892,6 +2892,7 @@ static int ravb_remove(struct platform_device *pdev)
>  	struct ravb_private *priv = netdev_priv(ndev);
>  	const struct ravb_hw_info *info = priv->info;
>  
> +	cancel_work_sync(&priv->work);

   I think we need an empty line here...

>  	/* Stop PTP Clock driver */
>  	if (info->ccc_gac)
>  		ravb_ptp_stop(ndev);

MBR, Sergey
Yunsheng Lin March 10, 2023, 1:12 a.m. UTC | #2 
On 2023/3/9 18:02, Zheng Wang wrote:
> In ravb_probe, priv->work was bound with ravb_tx_timeout_work.
> If timeout occurs, it will start the work. And if we call
> ravb_remove without finishing the work, ther may be a use

ther -> there

> after free bug on ndev.
> 
> Fix it by finishing the job before cleanup in ravb_remove.
> 
> Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> ---
>  drivers/net/ethernet/renesas/ravb_main.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
> index 0f54849a3823..07a08e72f440 100644
> --- a/drivers/net/ethernet/renesas/ravb_main.c
> +++ b/drivers/net/ethernet/renesas/ravb_main.c
> @@ -2892,6 +2892,7 @@ static int ravb_remove(struct platform_device *pdev)
>  	struct ravb_private *priv = netdev_priv(ndev);
>  	const struct ravb_hw_info *info = priv->info;
>  
> +	cancel_work_sync(&priv->work);

As your previous patch, I still do not see anything stopping
dev_watchdog() from calling dev->netdev_ops->ndo_tx_timeout
after cancel_work_sync(), maybe I missed something obvious
here?


>  	/* Stop PTP Clock driver */
>  	if (info->ccc_gac)
>  		ravb_ptp_stop(ndev);
>
Zheng Hacker March 10, 2023, 4:33 p.m. UTC | #3 
Sergey Shtylyov <s.shtylyov@omp.ru> 于2023年3月9日周四 23:47写道:
>
> Hello!
>
> On 3/9/23 1:02 PM, Zheng Wang wrote:
>
> > In ravb_probe, priv->work was bound with ravb_tx_timeout_work.
> > If timeout occurs, it will start the work. And if we call
> > ravb_remove without finishing the work, ther may be a use
> > after free bug on ndev.
>
>    Have you actually encountered it?

Sorry, I haven't encountered it. All of the analysis is based on
static analysis.

>
> > Fix it by finishing the job before cleanup in ravb_remove.
> >
> > Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
>
>    Hm... sorry about that. :-)
>
> > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
>
> Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
>
> [...]
> > diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
> > index 0f54849a3823..07a08e72f440 100644
> > --- a/drivers/net/ethernet/renesas/ravb_main.c
> > +++ b/drivers/net/ethernet/renesas/ravb_main.c
> > @@ -2892,6 +2892,7 @@ static int ravb_remove(struct platform_device *pdev)
> >       struct ravb_private *priv = netdev_priv(ndev);
> >       const struct ravb_hw_info *info = priv->info;
> >
> > +     cancel_work_sync(&priv->work);
>
>    I think we need an empty line here...

Yes, will add it in the next version of patch.

Best regards,
Zheng

>
> >       /* Stop PTP Clock driver */
> >       if (info->ccc_gac)
> >               ravb_ptp_stop(ndev);
>
Zheng Hacker March 10, 2023, 4:38 p.m. UTC | #4 
Yunsheng Lin <linyunsheng@huawei.com> 于2023年3月10日周五 09:12写道:
>
> On 2023/3/9 18:02, Zheng Wang wrote:
> > In ravb_probe, priv->work was bound with ravb_tx_timeout_work.
> > If timeout occurs, it will start the work. And if we call
> > ravb_remove without finishing the work, ther may be a use
>
> ther -> there
>

Sorry about the typo, will correct it in the next version.

> > after free bug on ndev.
> >
> > Fix it by finishing the job before cleanup in ravb_remove.
> >
> > Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
> > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> > ---
> >  drivers/net/ethernet/renesas/ravb_main.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
> > index 0f54849a3823..07a08e72f440 100644
> > --- a/drivers/net/ethernet/renesas/ravb_main.c
> > +++ b/drivers/net/ethernet/renesas/ravb_main.c
> > @@ -2892,6 +2892,7 @@ static int ravb_remove(struct platform_device *pdev)
> >       struct ravb_private *priv = netdev_priv(ndev);
> >       const struct ravb_hw_info *info = priv->info;
> >
> > +     cancel_work_sync(&priv->work);
>
> As your previous patch, I still do not see anything stopping
> dev_watchdog() from calling dev->netdev_ops->ndo_tx_timeout
> after cancel_work_sync(), maybe I missed something obvious
> here?
>
Yes, that's a keyed suggestion. I was hurry to report the issue today
so wrote with many mistakes.
Thanks agagin for the advice. I will review other patch carefully.

Best regards,
Zheng

>

> >       /* Stop PTP Clock driver */
> >       if (info->ccc_gac)
> >               ravb_ptp_stop(ndev);
> >
Salvatore Bonaccorso Sept. 2, 2023, 2:34 p.m. UTC | #5 
Hi,

On Sat, Mar 11, 2023 at 12:38:10AM +0800, Zheng Hacker wrote:
> Yunsheng Lin <linyunsheng@huawei.com> 于2023年3月10日周五 09:12写道:
> >
> > On 2023/3/9 18:02, Zheng Wang wrote:
> > > In ravb_probe, priv->work was bound with ravb_tx_timeout_work.
> > > If timeout occurs, it will start the work. And if we call
> > > ravb_remove without finishing the work, ther may be a use
> >
> > ther -> there
> >
> 
> Sorry about the typo, will correct it in the next version.
> 
> > > after free bug on ndev.
> > >
> > > Fix it by finishing the job before cleanup in ravb_remove.
> > >
> > > Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
> > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> > > ---
> > >  drivers/net/ethernet/renesas/ravb_main.c | 1 +
> > >  1 file changed, 1 insertion(+)
> > >
> > > diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
> > > index 0f54849a3823..07a08e72f440 100644
> > > --- a/drivers/net/ethernet/renesas/ravb_main.c
> > > +++ b/drivers/net/ethernet/renesas/ravb_main.c
> > > @@ -2892,6 +2892,7 @@ static int ravb_remove(struct platform_device *pdev)
> > >       struct ravb_private *priv = netdev_priv(ndev);
> > >       const struct ravb_hw_info *info = priv->info;
> > >
> > > +     cancel_work_sync(&priv->work);
> >
> > As your previous patch, I still do not see anything stopping
> > dev_watchdog() from calling dev->netdev_ops->ndo_tx_timeout
> > after cancel_work_sync(), maybe I missed something obvious
> > here?
> >
> Yes, that's a keyed suggestion. I was hurry to report the issue today
> so wrote with many mistakes.
> Thanks agagin for the advice. I will review other patch carefully.
> 
> Best regards,
> Zheng

Looking through some older reports and proposed patches, has this even
been accepted later? Or did it felt trough the cracks?

Regards,
Salvatore
Sergei Shtylyov Sept. 3, 2023, 5:11 p.m. UTC | #6 
Hello!

On 9/2/23 5:34 PM, Salvatore Bonaccorso wrote:
[...]
>>>> In ravb_probe, priv->work was bound with ravb_tx_timeout_work.
>>>> If timeout occurs, it will start the work. And if we call
>>>> ravb_remove without finishing the work, ther may be a use
>>>
>>> ther -> there
>>>
>>
>> Sorry about the typo, will correct it in the next version.
>>
>>>> after free bug on ndev.

   BTW, is UAF a common abbreviation? I for one didn't know it...

>>>>
>>>> Fix it by finishing the job before cleanup in ravb_remove.
>>>>
>>>> Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
>>>> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
>>>> ---
>>>>  drivers/net/ethernet/renesas/ravb_main.c | 1 +
>>>>  1 file changed, 1 insertion(+)
>>>>
>>>> diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
>>>> index 0f54849a3823..07a08e72f440 100644
>>>> --- a/drivers/net/ethernet/renesas/ravb_main.c
>>>> +++ b/drivers/net/ethernet/renesas/ravb_main.c
>>>> @@ -2892,6 +2892,7 @@ static int ravb_remove(struct platform_device *pdev)
>>>>       struct ravb_private *priv = netdev_priv(ndev);
>>>>       const struct ravb_hw_info *info = priv->info;
>>>>
>>>> +     cancel_work_sync(&priv->work);
>>>
>>> As your previous patch, I still do not see anything stopping
>>> dev_watchdog() from calling dev->netdev_ops->ndo_tx_timeout
>>> after cancel_work_sync(), maybe I missed something obvious
>>> here?
>>>
>> Yes, that's a keyed suggestion. I was hurry to report the issue today
>> so wrote with many mistakes.
>> Thanks agagin for the advice. I will review other patch carefully.
>>
>> Best regards,
>> Zheng
> 
> Looking through some older reports and proposed patches, has this even
> been accepted later?

   No, the latest patch was v4 and it still didn't seem acceptable; I for one
don't agree that Zheng does his things in ravb_remove(), not ravb_close().

> Or did it felt trough the cracks?

   No, there are just too long delays between versions... and the patch still
doesn't seem correct enough... :-/

> Regards,
> Salvatore

MBR, Sergey
Sergei Shtylyov Sept. 3, 2023, 5:13 p.m. UTC | #7 
Sorry, had to reply from my Gmail account as the work server rejected
the msg for unknown reason... :-/

MBR, Sergey
diff mbox series

Patch

diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
index 0f54849a3823..07a08e72f440 100644
--- a/drivers/net/ethernet/renesas/ravb_main.c
+++ b/drivers/net/ethernet/renesas/ravb_main.c
@@ -2892,6 +2892,7 @@  static int ravb_remove(struct platform_device *pdev)
 	struct ravb_private *priv = netdev_priv(ndev);
 	const struct ravb_hw_info *info = priv->info;
 
+	cancel_work_sync(&priv->work);
 	/* Stop PTP Clock driver */
 	if (info->ccc_gac)
 		ravb_ptp_stop(ndev);