[Kernel] Re: [PATCH OpenHarmony-5.10 16/18] NFC: add NCI_UNREG flag to eliminate the race

在 2022/1/24 9:03, yiyuchangchun@126.com 写道:

From: Lin Ma

stable inclusion form stable-v5.10.82 commit 34e54703fb0fdbfc0a3cfc065d71e9a8353d3ac9 issue: #I4RVJ4 CVE: CVE-2021-4202

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...

Signed-off-by: Yu Changchun --------------------------------

[ Upstream commit 48b71a9e66c2eab60564b1b1c85f4928ed04e406 ]

There are two sites that calls queue_work() after the destroy_workqueue() and lead to possible UAF.

The first site is nci_send_cmd(), which can happen after the nci_close_device as below

nfcmrvl_nci_unregister_dev | nfc_genl_dev_up nci_close_device | flush_workqueue | del_timer_sync | nci_unregister_device | nfc_get_device destroy_workqueue | nfc_dev_up nfc_unregister_device | nci_dev_up device_del | nci_open_device | __nci_request | nci_send_cmd | queue_work !!!

Another site is nci_cmd_timer, awaked by the nci_cmd_work from the nci_send_cmd.

... | ... nci_unregister_device | queue_work destroy_workqueue | nfc_unregister_device | ... device_del | nci_cmd_work | mod_timer | ... | nci_cmd_timer | queue_work !!!

For the above two UAF, the root cause is that the nfc_dev_up can race between the nci_unregister_device routine. Therefore, this patch introduce NCI_UNREG flag to easily eliminate the possible race. In addition, the mutex_lock in nci_close_device can act as a barrier.

Signed-off-by: Lin Ma Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") Reviewed-by: Jakub Kicinski Reviewed-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20211116152732.19238-1-linma@zju.edu.cn Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin Signed-off-by: Chen Jun Signed-off-by: Zheng Zengkai Signed-off-by: Yu Changchun --- include/net/nfc/nci_core.h | 1 + net/nfc/nci/core.c | 19 +++++++++++++++++-- 2 files changed, 18 insertions(+), 2 deletions(-)

Reviewed-by: Wei Yongjun