linux/drivers/nfc
Duoming Zhou d270453a0d nfc: nfcmrvl: main: reorder destructive operations in nfcmrvl_nci_unregister_dev to avoid bugs
There are destructive operations such as nfcmrvl_fw_dnld_abort and
gpio_free in nfcmrvl_nci_unregister_dev. The resources such as firmware,
gpio and so on could be destructed while the upper layer functions such as
nfcmrvl_fw_dnld_start and nfcmrvl_nci_recv_frame is executing, which leads
to double-free, use-after-free and null-ptr-deref bugs.

There are three situations that could lead to double-free bugs.

The first situation is shown below:

   (Thread 1)                 |      (Thread 2)
nfcmrvl_fw_dnld_start         |
 ...                          |  nfcmrvl_nci_unregister_dev
 release_firmware()           |   nfcmrvl_fw_dnld_abort
  kfree(fw) //(1)             |    fw_dnld_over
                              |     release_firmware
  ...                         |      kfree(fw) //(2)
                              |     ...

The second situation is shown below:

   (Thread 1)                 |      (Thread 2)
nfcmrvl_fw_dnld_start         |
 ...                          |
 mod_timer                    |
 (wait a time)                |
 fw_dnld_timeout              |  nfcmrvl_nci_unregister_dev
   fw_dnld_over               |   nfcmrvl_fw_dnld_abort
    release_firmware          |    fw_dnld_over
     kfree(fw) //(1)          |     release_firmware
     ...                      |      kfree(fw) //(2)

The third situation is shown below:

       (Thread 1)               |       (Thread 2)
nfcmrvl_nci_recv_frame          |
 if(..->fw_download_in_progress)|
  nfcmrvl_fw_dnld_recv_frame    |
   queue_work                   |
                                |
fw_dnld_rx_work                 | nfcmrvl_nci_unregister_dev
 fw_dnld_over                   |  nfcmrvl_fw_dnld_abort
  release_firmware              |   fw_dnld_over
   kfree(fw) //(1)              |    release_firmware
                                |     kfree(fw) //(2)

The firmware struct is deallocated in position (1) and deallocated
in position (2) again.

The crash trace triggered by POC is like below:

BUG: KASAN: double-free or invalid-free in fw_dnld_over
Call Trace:
  kfree
  fw_dnld_over
  nfcmrvl_nci_unregister_dev
  nci_uart_tty_close
  tty_ldisc_kill
  tty_ldisc_hangup
  __tty_hangup.part.0
  tty_release
  ...

What's more, there are also use-after-free and null-ptr-deref bugs
in nfcmrvl_fw_dnld_start. If we deallocate firmware struct, gpio or
set null to the members of priv->fw_dnld in nfcmrvl_nci_unregister_dev,
then, we dereference firmware, gpio or the members of priv->fw_dnld in
nfcmrvl_fw_dnld_start, the UAF or NPD bugs will happen.

This patch reorders destructive operations after nci_unregister_device
in order to synchronize between cleanup routine and firmware download
routine.

The nci_unregister_device is well synchronized. If the device is
detaching, the firmware download routine will goto error. If firmware
download routine is executing, nci_unregister_device will wait until
firmware download routine is finished.

Fixes: 3194c68701 ("NFC: nfcmrvl: add firmware download support")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
2022-05-01 13:26:05 +01:00
..
fdp nfc: fdp: Merge the same judgment 2021-11-26 11:22:14 -08:00
microread nfc: microread: drop unneeded debug prints 2021-10-11 17:00:52 -07:00
nfcmrvl nfc: nfcmrvl: main: reorder destructive operations in nfcmrvl_nci_unregister_dev to avoid bugs 2022-05-01 13:26:05 +01:00
nxp-nci nfc: constify nci_ops 2021-07-25 09:21:20 +01:00
pn533 nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails 2021-11-07 19:37:04 +00:00
pn544 nfc: pn544: make array rset_cmd static const 2022-01-11 21:09:03 -08:00
s3fwrn5 nfc: s3fwrn5: simplify dereferencing pointer to struct device 2021-10-11 17:00:51 -07:00
st21nfca nfc: st21nfca: remove unnecessary skb check before kfree_skb() 2022-03-18 21:41:51 -07:00
st95hf spi: make remove callback a void function 2022-02-09 13:00:45 +00:00
st-nci spi: Make remove() return void 2022-02-28 10:43:07 -08:00
Kconfig nfc: Add a virtual nci device driver 2021-01-29 18:03:33 -08:00
Makefile nfc: Add a virtual nci device driver 2021-01-29 18:03:33 -08:00
mei_phy.c nfc: mei_phy: constify buffer passed to mei_nfc_send() 2021-07-29 12:28:02 +01:00
mei_phy.h nfc: constify nfc_phy_ops 2021-07-25 09:21:21 +01:00
nfcsim.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-07-31 09:14:46 -07:00
port100.c NFC: port100: fix use-after-free in port100_send_complete 2022-03-09 19:59:34 -08:00
trf7970a.c spi: make remove callback a void function 2022-02-09 13:00:45 +00:00
virtual_ncidev.c nfc: virtual_ncidev: change default device permissions 2021-11-26 11:14:31 -08:00