In the Linux kernel, the following vulnerability has been resolved:
igbvf: fix double free in igbvf_probe
In igbvf_probe
, if registernetdev() fails, the program will go to
label errhwinit, and then to label errioremap. In freenetdev() which
is just below label errioremap, there is list_for_each_entry_safe
and
netif_napi_del
which aims to delete all entries in dev->napi_list
.
The program has added an entry adapter->rx_ring->napi
which is added by
netif_napi_add
in igbvfallocqueues(). However, adapter->rxring has
been freed below label errhw_init. So this a UAF.
In terms of how to patch the problem, we can refer to igbvf_remove() and
delete the entry before adapter->rx_ring
.
The KASAN logs are as follows:
[ 35.126075] BUG: KASAN: use-after-free in freenetdev+0x1fd/0x450 [ 35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366 [ 35.128360] [ 35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14 [ 35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 35.131749] Call Trace: [ 35.132199] dumpstacklvl+0x59/0x7b [ 35.132865] printaddressdescription+0x7c/0x3b0 [ 35.133707] ? freenetdev+0x1fd/0x450 [ 35.134378] kasanreport+0x160/0x1c0 [ 35.135063] ? freenetdev+0x1fd/0x450 [ 35.135738] kasanreport+0x4b/0x70 [ 35.136367] freenetdev+0x1fd/0x450 [ 35.137006] igbvfprobe+0x121d/0x1a10 [igbvf] [ 35.137808] ? igbvfvlanrxaddvid+0x100/0x100 [igbvf] [ 35.138751] localpciprobe+0x13c/0x1f0 [ 35.139461] pcideviceprobe+0x37e/0x6c0 [ 35.165526] [ 35.165806] Allocated by task 366: [ 35.166414] _kasankmalloc+0xc4/0xf0 [ 35.167117] fookmemcachealloctrace+0x3c/0x50 [igbvf] [ 35.168078] igbvfprobe+0x9c5/0x1a10 [igbvf] [ 35.168866] localpciprobe+0x13c/0x1f0 [ 35.169565] pcideviceprobe+0x37e/0x6c0 [ 35.179713] [ 35.179993] Freed by task 366: [ 35.180539] kasansettrack+0x4c/0x80 [ 35.181211] kasansetfreeinfo+0x1f/0x40 [ 35.181942] __kasanslabfree+0x103/0x140 [ 35.182703] kfree+0xe3/0x250 [ 35.183239] igbvfprobe+0x1173/0x1a10 [igbvf] [ 35.184040] localpciprobe+0x13c/0x1f0