In the Linux kernel, the following vulnerability has been resolved:
wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces
wilcnetdevcleanup currently triggers a KASAN warning, which can be observed on interface registration error path, or simply by removing the module/unbinding device from driver:
echo spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind
================================================================== BUG: KASAN: slab-use-after-free in wilcnetdevcleanup+0x508/0x5cc Read of size 4 at addr c54d1ce8 by task sh/86
CPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117 Hardware name: Atmel SAMA5 unwindbacktrace from showstack+0x18/0x1c showstack from dumpstacklvl+0x34/0x58 dumpstacklvl from printreport+0x154/0x500 printreport from kasanreport+0xac/0xd8 kasanreport from wilcnetdevcleanup+0x508/0x5cc wilcnetdevcleanup from wilcbusremove+0xc8/0xec wilcbusremove from spiremove+0x8c/0xac spiremove from devicereleasedriverinternal+0x434/0x5f8 devicereleasedriverinternal from unbindstore+0xbc/0x108 unbindstore from kernfsfopwriteiter+0x398/0x584 kernfsfopwriteiter from vfswrite+0x728/0xf88 vfswrite from ksyswrite+0x110/0x1e4 ksyswrite from retfast_syscall+0x0/0x1c
[...]
Allocated by task 1: kasansavetrack+0x30/0x5c _kasankmalloc+0x8c/0x94 _kmallocnode+0x1cc/0x3e4 kvmallocnode+0x48/0x180 allocnetdevmqs+0x68/0x11dc allocetherdevmqs+0x28/0x34 wilcnetdevifcinit+0x34/0x8ec wilccfg80211init+0x690/0x910 wilcbusprobe+0xe0/0x4a0 spiprobe+0x158/0x1b0 reallyprobe+0x270/0xdf4 _driverprobedevice+0x1dc/0x580 driverprobedevice+0x60/0x140 _driverattach+0x228/0x5d4 busforeachdev+0x13c/0x1a8 busadddriver+0x2a0/0x608 driverregister+0x24c/0x578 dooneinitcall+0x180/0x310 kernelinitfreeable+0x424/0x484 kernelinit+0x20/0x148 retfromfork+0x14/0x28
Freed by task 86: kasansavetrack+0x30/0x5c kasansavefreeinfo+0x38/0x58 _kasanslabfree+0xe4/0x140 kfree+0xb0/0x238 devicerelease+0xc0/0x2a8 kobjectput+0x1d4/0x46c netdevruntodo+0x8fc/0x11d0 wilcnetdevcleanup+0x1e4/0x5cc wilcbusremove+0xc8/0xec spiremove+0x8c/0xac devicereleasedriverinternal+0x434/0x5f8 unbindstore+0xbc/0x108 kernfsfopwriteiter+0x398/0x584 vfswrite+0x728/0xf88 ksyswrite+0x110/0x1e4 retfastsyscall+0x0/0x1c [...]
David Mosberger-Tan initial investigation [1] showed that this use-after-free is due to netdevice unregistration during vif list traversal. When unregistering a net device, since the needsfreenetdev has been set to true during registration, the netdevice object is also freed, and as a consequence, the corresponding vif object too, since it is attached to it as private netdevice data. The next occurrence of the loop then tries to access freed vif pointer to the list to move forward in the list.
Fix this use-after-free thanks to two mechanisms: - navigate in the list with listforeachentrysafe, which allows to safely modify the list as we go through each element. For each element, remove it from the list with listdelrcu - make sure to wait for RCU grace period end after each vif removal to make sure it is safe to free the corresponding vif too (through unregister_netdev)
Since we are in a RCU "modifier" path (not a "reader" path), and because such path is expected not to be concurrent to any other modifier (we are using the vifmutex lock), we do not need to use RCU list API, that's why we can benefit from listforeachentry_safe.
[1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/