diff mbox

use-after-free in sixpack_close

Message ID 20151218.155954.26632223306803039.davem@davemloft.net
State Accepted, archived
Delegated to: David Miller
Headers show

Commit Message

David Miller Dec. 18, 2015, 8:59 p.m. UTC 
From: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
Date: Thu, 17 Dec 2015 23:47:39 +0000

> On Thu, 17 Dec 2015 16:05:32 -0500 (EST)
> David Miller <davem@davemloft.net> wrote:
> 
>> From: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
>> Date: Thu, 17 Dec 2015 11:41:04 +0000
>> 
>> >> This report is then followed by a dozen of other use-after-free reports.
>> >> 
>> >> On commit edb42dc7bc0da0125ceacab810a553ce1f0cac8d (Dec 15).
>> >> 
>> >> Thank you
>> > 
>> > sixpack_close does unregister_netdev(sp->dev), which frees sp as sp is
>> > actually allocated via alloc_netdev()
>> > 
>> > Then deletes two timers within sp
>> > 
>> > Then frees two buffers indexed off sp
>> 
>> This should fix it, the only thing I'm unsure of is if we should perhaps
>> also use del_timer_sync() here.  Anyone?
> 
> I think you need to yes as the timers use the data you wil be freeing in
> the unregister.

Ok.

> Also you are at the point the tty is closing so the net device may be
> active. Don't you need to netif_stop_queue() or defer the buffer
> kfrees until after the network device is unregistered so you don't pee
> into free memory if you have a transmit occurring ?

I'm pretty sure that's what the semaphore down above this sequence is
accomplishing.  But if we do need the netif_stop_queue() let's do that
as a separate patch.

Here is the patch I am checking in:

Comments

Alan Cox Dec. 18, 2015, 10:02 p.m. UTC | #1 
> > Also you are at the point the tty is closing so the net device may be
> > active. Don't you need to netif_stop_queue() or defer the buffer
> > kfrees until after the network device is unregistered so you don't pee
> > into free memory if you have a transmit occurring ?
> 
> I'm pretty sure that's what the semaphore down above this sequence is
> accomplishing.  But if we do need the netif_stop_queue() let's do that
> as a separate patch.

Follow the code path for sp_xmit(). If sp_xmit is called it digs out sp
from the ndetdev, locks sp->lock and stops the queue then calls sp_encaps
which touches sp->xbuff.

So if one thread of execution hits sp_xmit and another closes the ldisc
at just the wrong moment then we have no protection.

Alan
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

====================
[PATCH] 6pack: Fix use after free in sixpack_close().

Need to do the unregister_device() after all references to the driver
private have been done.

Also we need to use del_timer_sync() for the timers so that we don't
have any asynchronous references after the unregister.

Signed-off-by: David S. Miller <davem@davemloft.net>
---
 drivers/net/hamradio/6pack.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
index 7c4a415..9f0b1c3 100644
--- a/drivers/net/hamradio/6pack.c
+++ b/drivers/net/hamradio/6pack.c
@@ -683,14 +683,14 @@  static void sixpack_close(struct tty_struct *tty)
 	if (!atomic_dec_and_test(&sp->refcnt))
 		down(&sp->dead_sem);
 
-	unregister_netdev(sp->dev);
-
-	del_timer(&sp->tx_t);
-	del_timer(&sp->resync_t);
+	del_timer_sync(&sp->tx_t);
+	del_timer_sync(&sp->resync_t);
 
 	/* Free all 6pack frame buffers. */
 	kfree(sp->rbuff);
 	kfree(sp->xbuff);
+
+	unregister_netdev(sp->dev);
 }
 
 /* Perform I/O control on an active 6pack channel. */