cve/published/2024/CVE-2024-26895.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26895: wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces

 wilc_netdev_cleanup currently triggers a KASAN warning, which can be
 observed on interface registration error path, or simply by
 removing the module/unbinding device from driver:

 echo spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind

 ==================================================================
 BUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc
 Read of size 4 at addr c54d1ce8 by task sh/86

 CPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117
 Hardware name: Atmel SAMA5
  unwind_backtrace from show_stack+0x18/0x1c
  show_stack from dump_stack_lvl+0x34/0x58
  dump_stack_lvl from print_report+0x154/0x500
  print_report from kasan_report+0xac/0xd8
  kasan_report from wilc_netdev_cleanup+0x508/0x5cc
  wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec
  wilc_bus_remove from spi_remove+0x8c/0xac
  spi_remove from device_release_driver_internal+0x434/0x5f8
  device_release_driver_internal from unbind_store+0xbc/0x108
  unbind_store from kernfs_fop_write_iter+0x398/0x584
  kernfs_fop_write_iter from vfs_write+0x728/0xf88
  vfs_write from ksys_write+0x110/0x1e4
  ksys_write from ret_fast_syscall+0x0/0x1c

 [...]

 Allocated by task 1:
  kasan_save_track+0x30/0x5c
  __kasan_kmalloc+0x8c/0x94
  __kmalloc_node+0x1cc/0x3e4
  kvmalloc_node+0x48/0x180
  alloc_netdev_mqs+0x68/0x11dc
  alloc_etherdev_mqs+0x28/0x34
  wilc_netdev_ifc_init+0x34/0x8ec
  wilc_cfg80211_init+0x690/0x910
  wilc_bus_probe+0xe0/0x4a0
  spi_probe+0x158/0x1b0
  really_probe+0x270/0xdf4
  __driver_probe_device+0x1dc/0x580
  driver_probe_device+0x60/0x140
  __driver_attach+0x228/0x5d4
  bus_for_each_dev+0x13c/0x1a8
  bus_add_driver+0x2a0/0x608
  driver_register+0x24c/0x578
  do_one_initcall+0x180/0x310
  kernel_init_freeable+0x424/0x484
  kernel_init+0x20/0x148
  ret_from_fork+0x14/0x28

 Freed by task 86:
  kasan_save_track+0x30/0x5c
  kasan_save_free_info+0x38/0x58
  __kasan_slab_free+0xe4/0x140
  kfree+0xb0/0x238
  device_release+0xc0/0x2a8
  kobject_put+0x1d4/0x46c
  netdev_run_todo+0x8fc/0x11d0
  wilc_netdev_cleanup+0x1e4/0x5cc
  wilc_bus_remove+0xc8/0xec
  spi_remove+0x8c/0xac
  device_release_driver_internal+0x434/0x5f8
  unbind_store+0xbc/0x108
  kernfs_fop_write_iter+0x398/0x584
  vfs_write+0x728/0xf88
  ksys_write+0x110/0x1e4
  ret_fast_syscall+0x0/0x1c
  [...]

 David Mosberger-Tan initial investigation [1] showed that this
 use-after-free is due to netdevice unregistration during vif list
 traversal. When unregistering a net device, since the needs_free_netdev has
 been set to true during registration, the netdevice object is also freed,
 and as a consequence, the corresponding vif object too, since it is
 attached to it as private netdevice data. The next occurrence of the loop
 then tries to access freed vif pointer to the list to move forward in the
 list.

 Fix this use-after-free thanks to two mechanisms:
 - navigate in the list with list_for_each_entry_safe, which allows to
   safely modify the list as we go through each element. For each element,
   remove it from the list with list_del_rcu
 - make sure to wait for RCU grace period end after each vif removal to make
   sure it is safe to free the corresponding vif too (through
   unregister_netdev)

 Since we are in a RCU "modifier" path (not a "reader" path), and because
 such path is expected not to be concurrent to any other modifier (we are
 using the vif_mutex lock), we do not need to use RCU list API, that's why
 we can benefit from list_for_each_entry_safe.

 [1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/

 The Linux kernel CVE team has assigned CVE-2024-26895 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.5 with commit 8399918f3056e1033f0f4c08eab437fb38d6f22d and fixed in 5.10.214 with commit 5956f4203b6cdd0755bbdd21b45f3933c7026208
 	Issue introduced in 5.5 with commit 8399918f3056e1033f0f4c08eab437fb38d6f22d and fixed in 5.15.153 with commit fe20e3d56bc911408fc3c27a17c59e9d7885f7d1
 	Issue introduced in 5.5 with commit 8399918f3056e1033f0f4c08eab437fb38d6f22d and fixed in 6.1.83 with commit a9545af2a533739ffb64d6c9a6fec6f13e2b505f
 	Issue introduced in 5.5 with commit 8399918f3056e1033f0f4c08eab437fb38d6f22d and fixed in 6.6.23 with commit 3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447
 	Issue introduced in 5.5 with commit 8399918f3056e1033f0f4c08eab437fb38d6f22d and fixed in 6.7.11 with commit 24228dcf1d30c2231caa332be7d3090ac59fbfe9
 	Issue introduced in 5.5 with commit 8399918f3056e1033f0f4c08eab437fb38d6f22d and fixed in 6.8.2 with commit 73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb
 	Issue introduced in 5.5 with commit 8399918f3056e1033f0f4c08eab437fb38d6f22d and fixed in 6.9 with commit cb5942b77c05d54310a0420cac12935e9b6aa21c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26895
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/wireless/microchip/wilc1000/netdev.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208
 	https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1
 	https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f
 	https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447
 	https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9
 	https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb
 	https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26895: wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces

	wilc_netdev_cleanup currently triggers a KASAN warning, which can be
	observed on interface registration error path, or simply by
	removing the module/unbinding device from driver:

	echo spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind

	==================================================================
	BUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc
	Read of size 4 at addr c54d1ce8 by task sh/86

	CPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117
	Hardware name: Atmel SAMA5
	unwind_backtrace from show_stack+0x18/0x1c
	show_stack from dump_stack_lvl+0x34/0x58
	dump_stack_lvl from print_report+0x154/0x500
	print_report from kasan_report+0xac/0xd8
	kasan_report from wilc_netdev_cleanup+0x508/0x5cc
	wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec
	wilc_bus_remove from spi_remove+0x8c/0xac
	spi_remove from device_release_driver_internal+0x434/0x5f8
	device_release_driver_internal from unbind_store+0xbc/0x108
	unbind_store from kernfs_fop_write_iter+0x398/0x584
	kernfs_fop_write_iter from vfs_write+0x728/0xf88
	vfs_write from ksys_write+0x110/0x1e4
	ksys_write from ret_fast_syscall+0x0/0x1c

	[...]

	Allocated by task 1:
	kasan_save_track+0x30/0x5c
	__kasan_kmalloc+0x8c/0x94
	__kmalloc_node+0x1cc/0x3e4
	kvmalloc_node+0x48/0x180
	alloc_netdev_mqs+0x68/0x11dc
	alloc_etherdev_mqs+0x28/0x34
	wilc_netdev_ifc_init+0x34/0x8ec
	wilc_cfg80211_init+0x690/0x910
	wilc_bus_probe+0xe0/0x4a0
	spi_probe+0x158/0x1b0
	really_probe+0x270/0xdf4
	__driver_probe_device+0x1dc/0x580
	driver_probe_device+0x60/0x140
	__driver_attach+0x228/0x5d4
	bus_for_each_dev+0x13c/0x1a8
	bus_add_driver+0x2a0/0x608
	driver_register+0x24c/0x578
	do_one_initcall+0x180/0x310
	kernel_init_freeable+0x424/0x484
	kernel_init+0x20/0x148
	ret_from_fork+0x14/0x28

	Freed by task 86:
	kasan_save_track+0x30/0x5c
	kasan_save_free_info+0x38/0x58
	__kasan_slab_free+0xe4/0x140
	kfree+0xb0/0x238
	device_release+0xc0/0x2a8
	kobject_put+0x1d4/0x46c
	netdev_run_todo+0x8fc/0x11d0
	wilc_netdev_cleanup+0x1e4/0x5cc
	wilc_bus_remove+0xc8/0xec
	spi_remove+0x8c/0xac
	device_release_driver_internal+0x434/0x5f8
	unbind_store+0xbc/0x108
	kernfs_fop_write_iter+0x398/0x584
	vfs_write+0x728/0xf88
	ksys_write+0x110/0x1e4
	ret_fast_syscall+0x0/0x1c
	[...]

	David Mosberger-Tan initial investigation [1] showed that this
	use-after-free is due to netdevice unregistration during vif list
	traversal. When unregistering a net device, since the needs_free_netdev has
	been set to true during registration, the netdevice object is also freed,
	and as a consequence, the corresponding vif object too, since it is
	attached to it as private netdevice data. The next occurrence of the loop
	then tries to access freed vif pointer to the list to move forward in the
	list.

	Fix this use-after-free thanks to two mechanisms:
	- navigate in the list with list_for_each_entry_safe, which allows to
	safely modify the list as we go through each element. For each element,
	remove it from the list with list_del_rcu
	- make sure to wait for RCU grace period end after each vif removal to make
	sure it is safe to free the corresponding vif too (through
	unregister_netdev)

	Since we are in a RCU "modifier" path (not a "reader" path), and because
	such path is expected not to be concurrent to any other modifier (we are
	using the vif_mutex lock), we do not need to use RCU list API, that's why
	we can benefit from list_for_each_entry_safe.

	[1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/

	The Linux kernel CVE team has assigned CVE-2024-26895 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.5 with commit 8399918f3056e1033f0f4c08eab437fb38d6f22d and fixed in 5.10.214 with commit 5956f4203b6cdd0755bbdd21b45f3933c7026208
	Issue introduced in 5.5 with commit 8399918f3056e1033f0f4c08eab437fb38d6f22d and fixed in 5.15.153 with commit fe20e3d56bc911408fc3c27a17c59e9d7885f7d1
	Issue introduced in 5.5 with commit 8399918f3056e1033f0f4c08eab437fb38d6f22d and fixed in 6.1.83 with commit a9545af2a533739ffb64d6c9a6fec6f13e2b505f
	Issue introduced in 5.5 with commit 8399918f3056e1033f0f4c08eab437fb38d6f22d and fixed in 6.6.23 with commit 3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447
	Issue introduced in 5.5 with commit 8399918f3056e1033f0f4c08eab437fb38d6f22d and fixed in 6.7.11 with commit 24228dcf1d30c2231caa332be7d3090ac59fbfe9
	Issue introduced in 5.5 with commit 8399918f3056e1033f0f4c08eab437fb38d6f22d and fixed in 6.8.2 with commit 73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb
	Issue introduced in 5.5 with commit 8399918f3056e1033f0f4c08eab437fb38d6f22d and fixed in 6.9 with commit cb5942b77c05d54310a0420cac12935e9b6aa21c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26895
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/wireless/microchip/wilc1000/netdev.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208
	https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1
	https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f
	https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447
	https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9
	https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb
	https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c