From: Yang Yingliang <[email protected]>
Date: Tue, 10 Sep 2019 18:56:57 +0800
> I got a UAF repport in tun driver when doing fuzzy test:
...
> tun_chr_read_iter() accessed the memory which freed by free_netdev()
> called by tun_set_iff():
>
> CPUA CPUB
> tun_set_iff()
> alloc_netdev_mqs()
> tun_attach()
> tun_chr_read_iter()
> tun_get()
> tun_do_read()
> tun_ring_recv()
> register_netdevice() <-- inject error
> goto err_detach
> tun_detach_all() <-- set RCV_SHUTDOWN
> free_netdev() <-- called from
> err_free_dev path
> netdev_freemem() <-- free the memory
> without check refcount
> (In this path, the refcount cannot prevent
> freeing the memory of dev, and the memory
> will be used by dev_put() called by
> tun_chr_read_iter() on CPUB.)
> (Break from
> tun_ring_recv(),
> because RCV_SHUTDOWN is
> set)
> tun_put()
> dev_put() <-- use the
> memory
> freed by
> netdev_freemem()
>
> Put the publishing of tfile->tun after register_netdevice(),
> so tun_get() won't get the tun pointer that freed by
> err_detach path if register_netdevice() failed.
>
> Fixes: eb0fb363f920 ("tuntap: attach queue 0 before registering netdevice")
> Reported-by: Hulk Robot <[email protected]>
> Suggested-by: Jason Wang <[email protected]>
> Signed-off-by: Yang Yingliang <[email protected]>
Applied, thanks.
