mirror of
https://git.proxmox.com/git/mirror_ubuntu-kernels.git
synced 2025-11-09 06:12:31 +00:00
48b71a9e66
There are two sites that calls queue_work() after the
destroy_workqueue() and lead to possible UAF.
The first site is nci_send_cmd(), which can happen after the
nci_close_device as below
nfcmrvl_nci_unregister_dev | nfc_genl_dev_up
nci_close_device |
flush_workqueue |
del_timer_sync |
nci_unregister_device | nfc_get_device
destroy_workqueue | nfc_dev_up
nfc_unregister_device | nci_dev_up
device_del | nci_open_device
| __nci_request
| nci_send_cmd
| queue_work !!!
Another site is nci_cmd_timer, awaked by the nci_cmd_work from the
nci_send_cmd.
... | ...
nci_unregister_device | queue_work
destroy_workqueue |
nfc_unregister_device | ...
device_del | nci_cmd_work
| mod_timer
| ...
| nci_cmd_timer
| queue_work !!!
For the above two UAF, the root cause is that the nfc_dev_up can race
between the nci_unregister_device routine. Therefore, this patch
introduce NCI_UNREG flag to easily eliminate the possible race. In
addition, the mutex_lock in nci_close_device can act as a barrier.
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Fixes:
|
||
|---|---|---|
| .. | ||
| hci | ||
| nci | ||
| af_nfc.c | ||
| core.c | ||
| digital_core.c | ||
| digital_dep.c | ||
| digital_technology.c | ||
| digital.h | ||
| Kconfig | ||
| llcp_commands.c | ||
| llcp_core.c | ||
| llcp_sock.c | ||
| llcp.h | ||
| Makefile | ||
| netlink.c | ||
| nfc.h | ||
| rawsock.c | ||