hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
1,087,362 Commits 9 Branches 1 Tag 4.7 GiB
C 97.7%
Assembly 1.1%
Shell 0.4%
Makefile 0.3%
Python 0.2%
Other 0.1%
Go to file
Duoming Zhou 82e31755e5 ax25: Fix UAF bugs in ax25 timers 
There are race conditions that may lead to UAF bugs in
ax25_heartbeat_expiry(), ax25_t1timer_expiry(), ax25_t2timer_expiry(),
ax25_t3timer_expiry() and ax25_idletimer_expiry(), when we call
ax25_release() to deallocate ax25_dev.

One of the UAF bugs caused by ax25_release() is shown below:

      (Thread 1)                    |      (Thread 2)
ax25_dev_device_up() //(1)          |
...                                 | ax25_kill_by_device()
ax25_bind()          //(2)          |
ax25_connect()                      | ...
 ax25_std_establish_data_link()     |
  ax25_start_t1timer()              | ax25_dev_device_down() //(3)
   mod_timer(&ax25->t1timer,..)     |
                                    | ax25_release()
   (wait a time)                    |  ...
                                    |  ax25_dev_put(ax25_dev) //(4)FREE
   ax25_t1timer_expiry()            |
    ax25->ax25_dev->values[..] //USE|  ...
     ...                            |

We increase the refcount of ax25_dev in position (1) and (2), and
decrease the refcount of ax25_dev in position (3) and (4).
The ax25_dev will be freed in position (4) and be used in
ax25_t1timer_expiry().

The fail log is shown below:
==============================================================

[  106.116942] BUG: KASAN: use-after-free in ax25_t1timer_expiry+0x1c/0x60
[  106.116942] Read of size 8 at addr ffff88800bda9028 by task swapper/0/0
[  106.116942] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-06123-g0905eec574
[  106.116942] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-14
[  106.116942] Call Trace:
...
[  106.116942]  ax25_t1timer_expiry+0x1c/0x60
[  106.116942]  call_timer_fn+0x122/0x3d0
[  106.116942]  __run_timers.part.0+0x3f6/0x520
[  106.116942]  run_timer_softirq+0x4f/0xb0
[  106.116942]  __do_softirq+0x1c2/0x651
...

This patch adds del_timer_sync() in ax25_release(), which could ensure
that all timers stop before we deallocate ax25_dev.

Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
 		2022-03-29 10:24:34 +02:00
Documentation TTY/Serial driver changes for 5.18-rc1 2022-03-28 13:00:51 -07:00
LICENSES LICENSES/LGPL-2.1: Add LGPL-2.1-or-later as valid identifiers 2021-12-16 14:33:10 +01:00
arch Microblaze patches for 5.18-rc1 2022-03-28 14:46:53 -07:00
block for-5.18/64bit-pi-2022-03-25 2022-03-26 12:01:35 -07:00
certs KEYS: Introduce link restriction for machine keys 2022-03-08 13:55:52 +02:00
crypto for-5.18/64bit-pi-2022-03-25 2022-03-26 12:01:35 -07:00
drivers Networking fixes, including fixes from netfilter. 2022-03-28 17:02:04 -07:00
fs Driver core changes for 5.18-rc1 2022-03-28 12:41:28 -07:00
include Networking fixes, including fixes from netfilter. 2022-03-28 17:02:04 -07:00
init Merge branch 'akpm' (patches from Andrew) 2022-03-24 14:14:07 -07:00
ipc fs: allocate inode by using alloc_inode_sb() 2022-03-22 15:57:03 -07:00
kernel kgdb patches for 5.18 2022-03-28 15:00:42 -07:00
lib memcpy updates for v5.18-rc1 2022-03-26 12:19:04 -07:00
mm mm: kfence: fix missing objcg housekeeping for SLAB 2022-03-27 18:47:00 -07:00
net ax25: Fix UAF bugs in ax25 timers 2022-03-29 10:24:34 +02:00
samples Livepatching changes for 5.18 2022-03-28 14:38:31 -07:00
scripts Driver core changes for 5.18-rc1 2022-03-28 12:41:28 -07:00
security Landlock updates for v5.18-rc1 2022-03-27 14:26:47 -07:00
sound xen: branch for v5.18-rc1 2022-03-28 14:32:39 -07:00
tools Networking fixes, including fixes from netfilter. 2022-03-28 17:02:04 -07:00
usr reiserfs_xattr.h: add linux/reiserfs_xattr.h to UAPI compile-test coverage 2022-02-17 09:09:38 +01:00
virt KVM: compat: riscv: Prevent KVM_COMPAT from being selected 2022-03-11 19:02:15 +05:30
.clang-format genirq/msi: Make interrupt allocation less convoluted 2021-12-16 22:22:20 +01:00
.cocciconfig
.get_maintainer.ignore Opt out of scripts/get_maintainer.pl 2019-05-16 10:53:40 -07:00
.gitattributes .gitattributes: use 'dts' diff driver for dts files 2019-12-04 19:44:11 -08:00
.gitignore .gitignore: ignore only top-level modules.builtin 2021-05-02 00:43:35 +09:00
.mailmap Char/Misc and other driver updates for 5.18-rc1 2022-03-28 12:27:35 -07:00
COPYING COPYING: state that all contributions really are covered by this file 2020-02-10 13:32:20 -08:00
CREDITS MAINTAINERS: replace a Microchip AT91 maintainer 2022-02-09 11:30:01 +01:00
Kbuild kbuild: rename hostprogs-y/always to hostprogs/always-y 2020-02-04 01:53:07 +09:00
Kconfig kbuild: ensure full rebuild when the compiler is updated 2020-05-12 13:28:33 +09:00
MAINTAINERS MAINTAINERS: update hexagon maintainer email, tree 2022-03-28 13:51:54 -07:00
Makefile array-bounds updates for v5.18-rc1 2022-03-26 12:30:44 -07:00
README Drop all 00-INDEX files from Documentation/ 2018-09-09 15:08:58 -06:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.