leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1cab5bd69e
linux/drivers/net/can/sja1000
History
Zheyu Ma 949fe9b355 can: peak_pci: peak_pci_remove(): fix UAF 
When remove the module peek_pci, referencing 'chan' again after
releasing 'dev' will cause UAF.

Fix this by releasing 'dev' later.

The following log reveals it:

[   35.961814 ] BUG: KASAN: use-after-free in peak_pci_remove+0x16f/0x270 [peak_pci]
[   35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537
[   35.965513 ] Call Trace:
[   35.965718 ]  dump_stack_lvl+0xa8/0xd1
[   35.966028 ]  print_address_description+0x87/0x3b0
[   35.966420 ]  kasan_report+0x172/0x1c0
[   35.966725 ]  ? peak_pci_remove+0x16f/0x270 [peak_pci]
[   35.967137 ]  ? trace_irq_enable_rcuidle+0x10/0x170
[   35.967529 ]  ? peak_pci_remove+0x16f/0x270 [peak_pci]
[   35.967945 ]  __asan_report_load8_noabort+0x14/0x20
[   35.968346 ]  peak_pci_remove+0x16f/0x270 [peak_pci]
[   35.968752 ]  pci_device_remove+0xa9/0x250

Fixes: e6d9c80b7c ("can: peak_pci: add support of some new PEAK-System PCI cards")
Link: https://lore.kernel.org/all/1634192913-15639-1-git-send-email-zheyuma97@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2021-10-17 22:51:50 +02:00
..
ems_pci.c module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
ems_pcmcia.c module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
f81601.c can: sja1000: f81601: remove unused including <linux/version.h> 2019-08-13 16:37:03 +02:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
kvaser_pci.c module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
Makefile can: sja1000: f81601: add Fintek F81601 support 2019-07-24 10:30:37 +02:00
peak_pci.c can: peak_pci: peak_pci_remove(): fix UAF 2021-10-17 22:51:50 +02:00
peak_pcmcia.c module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
plx_pci.c module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
sja1000_isa.c remove ioremap_nocache and devm_ioremap_nocache 2020-01-06 09:45:59 +01:00
sja1000_platform.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
sja1000.c can: dev: can_free_echo_skb(): extend to return can frame length 2021-03-30 11:14:28 +02:00
sja1000.h
tscan1.c isa: Make the remove callback for isa drivers return void 2021-01-26 07:42:27 +01:00