From: Jeongjun Park aha310510@gmail.com
mainline inclusion from mainline-v6.12-rc1 commit 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRB6 CVE: CVE-2024-49936
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
During the list_for_each_entry_rcu iteration call of xenvif_flush_hash, kfree_rcu does not exist inside the rcu read critical section, so if kfree_rcu is called when the rcu grace period ends during the iteration, UAF occurs when accessing head->next after the entry becomes free.
Therefore, to solve this, you need to change it to list_for_each_entry_safe.
Signed-off-by: Jeongjun Park aha310510@gmail.com Link: https://patch.msgid.link/20240822181109.2577354-1-aha310510@gmail.com Signed-off-by: Jakub Kicinski kuba@kernel.org Conflicts: drivers/net/xen-netback/hash.c [ A previous commit f3265971ded9 is not merged, but it is ok to merge this patch. Because this patch will remove the modification of the previous patch. ] Signed-off-by: Luo Gengkun luogengkun2@huawei.com --- drivers/net/xen-netback/hash.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c index 10d580c3dea3..bb7545ab9cd1 100644 --- a/drivers/net/xen-netback/hash.c +++ b/drivers/net/xen-netback/hash.c @@ -94,7 +94,7 @@ static u32 xenvif_new_hash(struct xenvif *vif, const u8 *data,
static void xenvif_flush_hash(struct xenvif *vif) { - struct xenvif_hash_cache_entry *entry; + struct xenvif_hash_cache_entry *entry, *n; unsigned long flags;
if (xenvif_hash_cache_size == 0) @@ -102,7 +102,7 @@ static void xenvif_flush_hash(struct xenvif *vif)
spin_lock_irqsave(&vif->hash.cache.lock, flags);
- list_for_each_entry_rcu(entry, &vif->hash.cache.list, link) { + list_for_each_entry_safe(entry, n, &vif->hash.cache.list, link) { list_del_rcu(&entry->link); vif->hash.cache.count--; kfree_rcu(entry, rcu);