Commit 2619a304 authored Jan 10, 2024 by Ziyang Xuan
net: bridge: multicast: fix UAF of net_bridge

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I8UZTK


CVE: NA

--------------------------------

Get a UAF problem as following:

========================================================
BUG: KASAN: use-after-free in run_timer_softirq+0x526/0x750
...
Call Trace:
 <IRQ>
 dump_stack+0x8b/0xbb
 print_address_description+0x6a/0x270
 kasan_report+0x179/0x2c0
 ? run_timer_softirq+0x526/0x750
 run_timer_softirq+0x526/0x750
 ? pvclock_clocksource_read+0xd1/0x180
 ? init_timer_key+0xc0/0xc0
 ? kvm_sched_clock_read+0xd/0x20
 ? sched_clock+0x5/0x10
 ? sched_clock_cpu+0x18/0x100
 __do_softirq+0x119/0x3a2
 irq_exit+0x153/0x160
 smp_apic_timer_interrupt+0x92/0x1a0
 apic_timer_interrupt+0xf/0x20
...
Allocated by task 11277:
 kasan_kmalloc+0xa0/0xd0
 __kmalloc_node+0x190/0x2b0
 kvmalloc_node+0x43/0x70
 alloc_netdev_mqs+0x6a/0x660
 rtnl_create_link+0x12a/0x420
 rtnl_newlink+0x832/0xab0
 rtnetlink_rcv_msg+0x424/0x500
 netlink_rcv_skb+0xcd/0x200
 netlink_unicast+0x2e9/0x3a0
 netlink_sendmsg+0x4d7/0x670
 sock_sendmsg+0x6d/0x80
 ____sys_sendmsg+0x36a/0x3d0
 ___sys_sendmsg+0x10a/0x190
 __sys_sendmsg+0xd2/0x150
 do_syscall_64+0x77/0x2c0
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Freed by task 11313:
 __kasan_slab_free+0x130/0x180
 kfree+0x90/0x1a0
 device_release+0x47/0xe0
 kobject_release+0x98/0x200
 netdev_run_todo+0x36d/0x490
 rtnetlink_rcv_msg+0x42c/0x500
 netlink_rcv_skb+0xcd/0x200
 netlink_unicast+0x2e9/0x3a0
 netlink_sendmsg+0x4d7/0x670
 sock_sendmsg+0x6d/0x80
 ____sys_sendmsg+0x36a/0x3d0
 ___sys_sendmsg+0x10a/0x190
 __sys_sendmsg+0xd2/0x150
 do_syscall_64+0x77/0x2c0
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Under closed state of bridge netdev, try to activate ip6_own_query.timer
of bridge netdev by br_multicast_set_querier(), and delete bridge netdev
immediately afterwards. Because the timer will not be deleted during
bridge netdev deleting process. When the timer is not activated before
bridge netdev is released, UAF will be triggered to access the timer in
run_timer_softirq().

Add br_multicast_stop() in br_multicast_dev_del() to delete the timer
during bridge netdev deleting process as done in commit 613d61db ("net:
bridge: vlan: add global and per-port multicast context").

Fixes: cc0fdd80 ("bridge: separate querier and query timer into IGMP/IPv4 and MLD/IPv6 ones")
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
parent 9b8b6ad3
Show whitespace changes
Inline Side-by-side
Please to comment