In the Linux kernel, the following vulnerability has been resolved:
satafsl: fix UAF in satafslportstop when rmmod sata_fsl
When the rmmod sata_fsl.ko
command is executed in the PPC64 GNU/Linux,
a bug is reported:
==================================================================
BUG: Unable to handle kernel data access on read at 0x80000800805b502c
Oops: Kernel access of bad area, sig: 11 [#1]
NIP [c0000000000388a4] .ioread32+0x4/0x20
LR [80000000000c6034] .satafslportstop+0x44/0xe0 [satafsl]
Call Trace:
.freeirq+0x1c/0x4e0 (unreliable)
.atahoststop+0x74/0xd0 [libata]
.releasenodes+0x330/0x3f0
.devicereleasedriverinternal+0x178/0x2c0
.driverdetach+0x64/0xd0
.busremovedriver+0x70/0xf0
.driverunregister+0x38/0x80
.platformdriverunregister+0x14/0x30
.fslsatadriverexit+0x18/0xa20 [satafsl]
.sesysdeletemodule+0x1ec/0x2d0
.systemcallexception+0xfc/0x1f0
systemcallcommon+0xf8/0x200
==================================================================
The triggering of the BUG is shown in the following stack:
driverdetach devicereleasedriverinternal _devicereleasedriver drv->remove(dev) --> platformdrvremove/platformremove drv->remove(dev) --> satafslremove iounmap(hostpriv->hcrbase); <---- unmap kfree(hostpriv); <---- free devresreleaseall releasenodes dr->node.release(dev, dr->data) --> atahoststop ap->ops->portstop(ap) --> satafslportstop ioread32(hcrbase + HCONTROL) <---- UAF host->ops->hoststop(host)
The iounmap(hostpriv->hcrbase) and kfree(hostpriv) functions should not be executed in drv->remove. These functions should be executed in hoststop after portstop. Therefore, we move these functions to the new function satafslhoststop and bind the new function to host_stop.