forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers/net/can
History
Zheyu Ma 28f28e4bc3 can: peak_pci: peak_pci_remove(): fix UAF 
commit 949fe9b355 upstream.

When remove the module peek_pci, referencing 'chan' again after
releasing 'dev' will cause UAF.

Fix this by releasing 'dev' later.

The following log reveals it:

[   35.961814 ] BUG: KASAN: use-after-free in peak_pci_remove+0x16f/0x270 [peak_pci]
[   35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537
[   35.965513 ] Call Trace:
[   35.965718 ]  dump_stack_lvl+0xa8/0xd1
[   35.966028 ]  print_address_description+0x87/0x3b0
[   35.966420 ]  kasan_report+0x172/0x1c0
[   35.966725 ]  ? peak_pci_remove+0x16f/0x270 [peak_pci]
[   35.967137 ]  ? trace_irq_enable_rcuidle+0x10/0x170
[   35.967529 ]  ? peak_pci_remove+0x16f/0x270 [peak_pci]
[   35.967945 ]  __asan_report_load8_noabort+0x14/0x20
[   35.968346 ]  peak_pci_remove+0x16f/0x270 [peak_pci]
[   35.968752 ]  pci_device_remove+0xa9/0x250

Fixes: e6d9c80b7c ("can: peak_pci: add support of some new PEAK-System PCI cards")
Link: https://lore.kernel.org/all/1634192913-15639-1-git-send-email-zheyuma97@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-10-27 09:56:50 +02:00
..
c_can can: c_can: move runtime PM enable/disable to c_can_platform 2021-03-30 14:32:00 +02:00
cc770 can: drivers: fix spelling mistakes 2020-09-21 10:13:16 +02:00
dev net: introduce CAN specific pointer in the struct net_device 2021-04-07 15:00:07 +02:00
ifi_canfd treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
m_can can: m_can: m_can_tx_work_queue(): fix tx_skb race condition 2021-05-19 10:13:08 +02:00
mscan can: mscan: simplify clock enable/disable 2020-09-21 10:13:19 +02:00
peak_canfd can: peak_pciefd: pucan_handle_status(): fix a potential starvation issue in TX path 2021-07-14 16:55:41 +02:00
rcar can: rcar_can: fix suspend/resume 2021-10-27 09:56:50 +02:00
sja1000 can: peak_pci: peak_pci_remove(): fix UAF 2021-10-27 09:56:50 +02:00
softing can: softing: softing_netdev_open(): fix error handling 2020-12-05 13:08:11 -08:00
spi can: hi311x: fix a signedness bug in hi3110_cmd() 2021-08-04 12:46:44 +02:00
usb can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE state notification 2021-10-27 09:56:50 +02:00
at91_can.c can: drivers: fix spelling mistakes 2020-09-21 10:13:16 +02:00
flexcan.c can: flexcan: flexcan_chip_freeze(): fix chip freeze for missing bitrate 2021-03-30 14:31:59 +02:00
grcan.c can: drivers: fix spelling mistakes 2020-09-21 10:13:16 +02:00
janz-ican3.c treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
Kconfig can: kvaser_pciefd: select CONFIG_CRC32 2021-01-17 14:17:00 +01:00
kvaser_pciefd.c can: kvaser_pciefd: Always disable bus load reporting 2021-03-30 14:31:59 +02:00
led.c
Makefile can: dev: move driver related infrastructure into separate subdir 2021-04-07 15:00:07 +02:00
pch_can.c can: pch_can: use generic power management 2020-09-21 10:13:18 +02:00
slcan.c net: introduce CAN specific pointer in the struct net_device 2021-04-07 15:00:07 +02:00
sun4i_can.c can: sun4i_can: sun4i_can_err(): don't count arbitration lose as an error 2020-11-30 12:43:54 +01:00
ti_hecc.c can: ti_hecc: Fix memleak in ti_hecc_probe 2020-11-15 18:24:35 +01:00
vcan.c net: introduce CAN specific pointer in the struct net_device 2021-04-07 15:00:07 +02:00
vxcan.c net: introduce CAN specific pointer in the struct net_device 2021-04-07 15:00:07 +02:00
xilinx_can.c can: xilinx_can: handle failure cases of pm_runtime_get_sync 2020-11-03 22:30:32 +01:00