linux

mirror of https://github.com/raspberrypi/linux.git synced 2025-12-06 01:49:46 +00:00

Go to file

Taehee Yoo c511058f16 virt_wifi: fix use-after-free in virt_wifi_newlink()

commit bc71d8b580 upstream.

When virt_wifi interface is created, virt_wifi_newlink() is called and
it calls register_netdevice().
if register_netdevice() fails, it internally would call
->priv_destructor(), which is virt_wifi_net_device_destructor() and
it frees netdev. but virt_wifi_newlink() still use netdev.
So, use-after-free would occur in virt_wifi_newlink().

Test commands:
    ip link add dummy0 type dummy
    modprobe bonding
    ip link add bonding_masters link dummy0 type virt_wifi

Splat looks like:
[  202.220554] BUG: KASAN: use-after-free in virt_wifi_newlink+0x88b/0x9a0 [virt_wifi]
[  202.221659] Read of size 8 at addr ffff888061629cb8 by task ip/852

[  202.222896] CPU: 1 PID: 852 Comm: ip Not tainted 5.4.0-rc5 #3
[  202.223765] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[  202.225073] Call Trace:
[  202.225532]  dump_stack+0x7c/0xbb
[  202.226869]  print_address_description.constprop.5+0x1be/0x360
[  202.229362]  __kasan_report+0x12a/0x16f
[  202.230714]  kasan_report+0xe/0x20
[  202.232595]  virt_wifi_newlink+0x88b/0x9a0 [virt_wifi]
[  202.233370]  __rtnl_newlink+0xb9f/0x11b0
[  202.244909]  rtnl_newlink+0x65/0x90
[ ... ]

Cc: stable@vger.kernel.org
Fixes: c7cdba31ed ("mac80211-next: rtnetlink wifi simulation device")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Link: https://lore.kernel.org/r/20191121122645.9355-1-ap420073@gmail.com
[trim stack dump a bit]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

2019-12-17 19:55:55 +01:00

arch

ARM: dts: pandora-common: define wl1251 as child node of mmc3

2019-12-17 19:55:39 +01:00

block

iocost: check active_list of all the ancestors in iocg_activate()

2019-11-14 13:56:54 -07:00

certs

PKCS#7: Refactor verify_pkcs7_signature()

2019-08-05 18:40:18 -04:00

crypto

crypto: user - fix memory leak in crypto_reportstat

2019-12-13 08:43:11 +01:00

Documentation

USB: documentation: flags on usb-storage versus UAS

2019-12-17 19:55:32 +01:00

drivers

virt_wifi: fix use-after-free in virt_wifi_newlink()

2019-12-17 19:55:55 +01:00

ceph: fix compat_ioctl for ceph_dir_operations

2019-12-17 19:55:31 +01:00

include

compat_ioctl: add compat_ptr_ioctl()

2019-12-17 19:55:30 +01:00

init

Merge branch 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

2019-09-28 08:14:15 -07:00

ipc

ipc/sem.c: convert to use built-in RCU list checking

2019-09-25 17:51:41 -07:00

kernel

time: Zero the upper 32-bits in __kernel_timespec on 32-bit

2019-12-13 08:42:18 +01:00

lib

lib/xz: fix XZ_DYNALLOC to avoid useless memory reallocations

2019-11-15 18:34:00 -08:00

LICENSES

LICENSES: Rename other to deprecated

2019-05-03 06:34:32 -06:00

mm/ksm.c: don't WARN if page is still mapped in remove_stable_node()

2019-11-22 09:11:18 -08:00

net

rfkill: allocate static minor

2019-12-13 08:43:18 +01:00

samples

samples/bpf: fix build by setting HAVE_ATTR_TEST to zero

2019-10-31 21:39:15 +01:00

scripts

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

2019-11-15 09:14:23 -08:00

security

efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN

2019-10-31 09:40:21 +01:00

sound

ALSA: hda - Fix pending unsol events at shutdown

2019-12-13 08:43:27 +01:00

tools

kselftest: Fix NULL INSTALL_PATH for TARGETS runlist

2019-12-13 08:43:31 +01:00

usr

kbuild: update compile-test header list for v5.4-rc2

2019-10-05 15:29:49 +09:00

virt

KVM: arm/arm64: vgic: Don't rely on the wrong pending table

2019-12-13 08:43:00 +01:00

.clang-format

clang-format: Update with the latest for_each macro list

2019-08-31 10:00:51 +02:00

.cocciconfig

…

.get_maintainer.ignore

Opt out of scripts/get_maintainer.pl

2019-05-16 10:53:40 -07:00

.gitattributes

.gitattributes: set git diff driver for C source code files

2016-10-07 18:46:30 -07:00

.gitignore

Merge tag 'modules-for-v5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux

2019-09-22 10:34:46 -07:00

.mailmap

Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

2019-11-10 13:41:59 -08:00

COPYING

COPYING: use the new text with points to the license files

2018-03-23 12:41:45 -06:00

CREDITS

MAINTAINERS: Remove Simon as Renesas SoC Co-Maintainer

2019-10-10 08:12:51 -07:00

Kbuild

kbuild: do not descend to ./Kbuild when cleaning

2019-08-21 21:03:58 +09:00

Kconfig

docs: kbuild: convert docs to ReST and rename to *.rst

2019-06-14 14:21:21 -06:00

MAINTAINERS

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

2019-11-22 14:28:14 -08:00

Makefile

Linux 5.4.3

2019-12-13 08:43:32 +01:00

README

Drop all 00-INDEX files from Documentation/

2018-09-09 15:08:58 -06:00

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.

Languages

C 97.7%

Assembly 1.3%

Shell 0.3%

Makefile 0.3%

Python 0.2%

Other 0.1%