Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:ice: arfs: fix use-after-free when freeing @rx_cpu_rmapThe CI testing bots triggered the following splat:[ 718.203054] BUG: KASAN: use-after-free in free_irq_cpu_rmap+0x53/0x80[ 718.206349] Read of size 4 at addr ffff8881bd127e00 by task sh/20834[ 718.212852] CPU: 28 PID: 20834 Comm: sh Kdump: loaded Tainted: G S W IOE 5.17.0-rc8_nextqueue-devqueue-02643-g23f3121aca93 #1[ 718.219695] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0012.070720200218 07/07/2020[ 718.223418] Call Trace:[ 718.227139][ 718.230783] dump_stack_lvl+0x33/0x42[ 718.234431] print_address_description.constprop.9+0x21/0x170[ 718.238177] ? free_irq_cpu_rmap+0x53/0x80[ 718.241885] ? free_irq_cpu_rmap+0x53/0x80[ 718.245539] kasan_report.cold.18+0x7f/0x11b[ 718.249197] ? free_irq_cpu_rmap+0x53/0x80[ 718.252852] free_irq_cpu_rmap+0x53/0x80[ 718.256471] ice_free_cpu_rx_rmap.part.11+0x37/0x50 [ice][ 718.260174] ice_remove_arfs+0x5f/0x70 [ice][ 718.263810] ice_rebuild_arfs+0x3b/0x70 [ice][ 718.267419] ice_rebuild+0x39c/0xb60 [ice][ 718.270974] ? asm_sysvec_apic_timer_interrupt+0x12/0x20[ 718.274472] ? ice_init_phy_user_cfg+0x360/0x360 [ice][ 718.278033] ? delay_tsc+0x4a/0xb0[ 718.281513] ? preempt_count_sub+0x14/0xc0[ 718.284984] ? delay_tsc+0x8f/0xb0[ 718.288463] ice_do_reset+0x92/0xf0 [ice][ 718.292014] ice_pci_err_resume+0x91/0xf0 [ice][ 718.295561] pci_reset_function+0x53/0x80<...>[ 718.393035] Allocated by task 690:[ 718.433497] Freed by task 20834:[ 718.495688] Last potentially related work creation:[ 718.568966] The buggy address belongs to the object at ffff8881bd127e00 which belongs to the cache kmalloc-96 of size 96[ 718.574085] The buggy address is located 0 bytes inside of 96-byte region [ffff8881bd127e00, ffff8881bd127e60)[ 718.579265] The buggy address belongs to the page:[ 718.598905] Memory state around the buggy address:[ 718.601809] ffff8881bd127d00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc[ 718.604796] ffff8881bd127d80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc[ 718.607794] >ffff8881bd127e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc[ 718.610811] ^[ 718.613819] ffff8881bd127e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc[ 718.617107] ffff8881bd127f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fcThis is due to that free_irq_cpu_rmap() is always being called*after* (devm_)free_irq() and thus it tries to work with IRQ descsalready freed. For example, on device reset the driver frees thermap right before allocating a new one (the splat above).Make rmap creation and freeing function symmetrical with{request,free}_irq() calls i.e. do that on ifup/ifdown insteadof device probe/remove/resume. These operations can be performedindependently from the actual device aRFS configuration.Also, make sure ice_vsi_free_irq() clears IRQ affinity notifiersonly when aRFS is disabled -- otherwise, CPU rmap sets and clearsits own and they must not be touched manually.
No PoCs from references.
- https://github.com/fkie-cad/nvd-json-data-feeds