Re: [BUG] net: macb: Use-After-Free when removing the module

From: Nicolas Ferre
Date: Fri Mar 04 2022 - 04:49:48 EST

Next message: Kai Ye: "[PATCH] crypto: hisilicon/qm - fix memset during queues clearing"
Previous message: John Garry: "Re: [PATCH 4/4] scsi: hisi_sas: Use libsas internal abort support"
In reply to: Jakub Kicinski: "Re: [BUG] net: macb: Use-After-Free when removing the module"
Next in thread: Zheyu Ma: "Re: [BUG] net: macb: Use-After-Free when removing the module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 03/03/2022 at 16:57, Jakub Kicinski wrote:

On Thu, 3 Mar 2022 20:24:53 +0800 Zheyu Ma wrote:

When removing the macb_pci module, the driver will cause a UAF bug.

Commit d82d5303c4c5 ("net: macb: fix use after free on rmmod") moves
the platform_device_unregister() after clk_unregister(), but this
introduces another UAF bug.

The layering is all weird here. macb_probe() should allocate a private
structure for the _PCI driver_ which it can then attach to
struct pci_dev *pdev as driver data. Then free it in remove.
It shouldn't stuff its information into the platform device.

The PCI file was added as an optional layer to the original "platform" macb driver. I think it was added to run some experiments in some test conditions at Cadence.

Are you willing to send a fix like that?

I would prefer that we don't change too much the driver in the normal working conditions: meaning without the PCI additional glue.

my $0.02.

Regards,
Nicolas

--
Nicolas Ferre

Next message: Kai Ye: "[PATCH] crypto: hisilicon/qm - fix memset during queues clearing"
Previous message: John Garry: "Re: [PATCH 4/4] scsi: hisi_sas: Use libsas internal abort support"
In reply to: Jakub Kicinski: "Re: [BUG] net: macb: Use-After-Free when removing the module"
Next in thread: Zheyu Ma: "Re: [BUG] net: macb: Use-After-Free when removing the module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]