CVE-2024-26895

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces<br /> <br /> wilc_netdev_cleanup currently triggers a KASAN warning, which can be<br /> observed on interface registration error path, or simply by<br /> removing the module/unbinding device from driver:<br /> <br /> echo spi0.1 &gt; /sys/bus/spi/drivers/wilc1000_spi/unbind<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc<br /> Read of size 4 at addr c54d1ce8 by task sh/86<br /> <br /> CPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117<br /> Hardware name: Atmel SAMA5<br /> unwind_backtrace from show_stack+0x18/0x1c<br /> show_stack from dump_stack_lvl+0x34/0x58<br /> dump_stack_lvl from print_report+0x154/0x500<br /> print_report from kasan_report+0xac/0xd8<br /> kasan_report from wilc_netdev_cleanup+0x508/0x5cc<br /> wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec<br /> wilc_bus_remove from spi_remove+0x8c/0xac<br /> spi_remove from device_release_driver_internal+0x434/0x5f8<br /> device_release_driver_internal from unbind_store+0xbc/0x108<br /> unbind_store from kernfs_fop_write_iter+0x398/0x584<br /> kernfs_fop_write_iter from vfs_write+0x728/0xf88<br /> vfs_write from ksys_write+0x110/0x1e4<br /> ksys_write from ret_fast_syscall+0x0/0x1c<br /> <br /> [...]<br /> <br /> Allocated by task 1:<br /> kasan_save_track+0x30/0x5c<br /> __kasan_kmalloc+0x8c/0x94<br /> __kmalloc_node+0x1cc/0x3e4<br /> kvmalloc_node+0x48/0x180<br /> alloc_netdev_mqs+0x68/0x11dc<br /> alloc_etherdev_mqs+0x28/0x34<br /> wilc_netdev_ifc_init+0x34/0x8ec<br /> wilc_cfg80211_init+0x690/0x910<br /> wilc_bus_probe+0xe0/0x4a0<br /> spi_probe+0x158/0x1b0<br /> really_probe+0x270/0xdf4<br /> __driver_probe_device+0x1dc/0x580<br /> driver_probe_device+0x60/0x140<br /> __driver_attach+0x228/0x5d4<br /> bus_for_each_dev+0x13c/0x1a8<br /> bus_add_driver+0x2a0/0x608<br /> driver_register+0x24c/0x578<br /> do_one_initcall+0x180/0x310<br /> kernel_init_freeable+0x424/0x484<br /> kernel_init+0x20/0x148<br /> ret_from_fork+0x14/0x28<br /> <br /> Freed by task 86:<br /> kasan_save_track+0x30/0x5c<br /> kasan_save_free_info+0x38/0x58<br /> __kasan_slab_free+0xe4/0x140<br /> kfree+0xb0/0x238<br /> device_release+0xc0/0x2a8<br /> kobject_put+0x1d4/0x46c<br /> netdev_run_todo+0x8fc/0x11d0<br /> wilc_netdev_cleanup+0x1e4/0x5cc<br /> wilc_bus_remove+0xc8/0xec<br /> spi_remove+0x8c/0xac<br /> device_release_driver_internal+0x434/0x5f8<br /> unbind_store+0xbc/0x108<br /> kernfs_fop_write_iter+0x398/0x584<br /> vfs_write+0x728/0xf88<br /> ksys_write+0x110/0x1e4<br /> ret_fast_syscall+0x0/0x1c<br /> [...]<br /> <br /> David Mosberger-Tan initial investigation [1] showed that this<br /> use-after-free is due to netdevice unregistration during vif list<br /> traversal. When unregistering a net device, since the needs_free_netdev has<br /> been set to true during registration, the netdevice object is also freed,<br /> and as a consequence, the corresponding vif object too, since it is<br /> attached to it as private netdevice data. The next occurrence of the loop<br /> then tries to access freed vif pointer to the list to move forward in the<br /> list.<br /> <br /> Fix this use-after-free thanks to two mechanisms:<br /> - navigate in the list with list_for_each_entry_safe, which allows to<br /> safely modify the list as we go through each element. For each element,<br /> remove it from the list with list_del_rcu<br /> - make sure to wait for RCU grace period end after each vif removal to make<br /> sure it is safe to free the corresponding vif too (through<br /> unregister_netdev)<br /> <br /> Since we are in a RCU "modifier" path (not a "reader" path), and because<br /> such path is expected not to be concurrent to any other modifier (we are<br /> using the vif_mutex lock), we do not need to use RCU list API, that&amp;#39;s why<br /> we can benefit from list_for_each_entry_safe.<br /> <br /> [1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/