Commit 20db162f authored Oct 31, 2024 by Jeongjun Park Committed by Luo Gengkun Oct 31, 2024

net/xen-netback: prevent UAF in xenvif_flush_hash()

mainline inclusion
from mainline-v6.12-rc1
commit 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRB6
CVE: CVE-2024-49936

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fa5e94a1811d68fbffa0725efe6d4ca62c03d12



--------------------------------

During the list_for_each_entry_rcu iteration call of xenvif_flush_hash,
kfree_rcu does not exist inside the rcu read critical section, so if
kfree_rcu is called when the rcu grace period ends during the iteration,
UAF occurs when accessing head->next after the entry becomes free.

Therefore, to solve this, you need to change it to list_for_each_entry_safe.

Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Link: https://patch.msgid.link/20240822181109.2577354-1-aha310510@gmail.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Conflicts:
	drivers/net/xen-netback/hash.c
[
A previous commit f3265971 is not merged, but it is ok to merge this patch.
Because this patch will remove the modification of the previous patch.
]
Signed-off-by: Luo Gengkun <luogengkun2@huawei.com>

parent d3ae2925

drivers/net/xen-netback/hash.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -94,7 +94,7 @@ static u32 xenvif_new_hash(struct xenvif vif, const u8 data,

		static void xenvif_flush_hash(struct xenvif *vif)
		{
		struct xenvif_hash_cache_entry *entry;
		struct xenvif_hash_cache_entry entry, n;
		unsigned long flags;

		if (xenvif_hash_cache_size == 0)
		@@ -102,7 +102,7 @@ static void xenvif_flush_hash(struct xenvif *vif)

		spin_lock_irqsave(&vif->hash.cache.lock, flags);

		list_for_each_entry_rcu(entry, &vif->hash.cache.list, link) {
		list_for_each_entry_safe(entry, n, &vif->hash.cache.list, link) {
		list_del_rcu(&entry->link);
		vif->hash.cache.count--;
		kfree_rcu(entry, rcu);