CVE-2023-53556

In the Linux kernel, the following vulnerability has been resolved:

iavf: Fix use-after-free in free_netdev

We do netifnapiadd() for all allocated qvectors[], but potentially do netifnapidel() for part of them, then kfree qvectors and leave invalid pointers at dev->napi_list.

Reproducer:

[root@host ~]# cat repro.sh #!/bin/bash

pfdbsf="0000:41:00.0" vf0dbsf="0000:41:02.0" g_pids=()

function dosetnumvf() { echo 2 >/sys/bus/pci/devices/${pfdbsf}/sriovnumvfs sleep $((RANDOM%3+1)) echo 0 >/sys/bus/pci/devices/${pfdbsf}/sriovnumvfs sleep $((RANDOM%3+1)) }

function dosetchannel() { local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } ifconfig $nic 192.168.18.5 netmask 255.255.255.0 ifconfig $nic up ethtool -L $nic combined 1 ethtool -L $nic combined 4 sleep $((RANDOM%3)) }

function onexit() { local pid for pid in "${gpids[@]}"; do kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null done g_pids=() }

trap "on_exit; exit" EXIT

while :; do dosetnumvf ; done & gpids+=($!) while :; do dosetchannel ; done & gpids+=($!)

wait

Result:

[ 4093.900222] ================================================================== [ 4093.900230] BUG: KASAN: use-after-free in freenetdev+0x308/0x390 [ 4093.900232] Read of size 8 at addr ffff88b4dc145640 by task repro.sh/6699 [ 4093.900233] [ 4093.900236] CPU: 10 PID: 6699 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 [ 4093.900238] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 [ 4093.900239] Call Trace: [ 4093.900244] dumpstack+0x71/0xab [ 4093.900249] printaddressdescription+0x6b/0x290 [ 4093.900251] ? freenetdev+0x308/0x390 [ 4093.900252] kasanreport+0x14a/0x2b0 [ 4093.900254] freenetdev+0x308/0x390 [ 4093.900261] iavfremove+0x825/0xd20 [iavf] [ 4093.900265] pcideviceremove+0xa8/0x1f0 [ 4093.900268] devicereleasedriverinternal+0x1c6/0x460 [ 4093.900271] pcistopbusdevice+0x101/0x150 [ 4093.900273] pcistopandremovebusdevice+0xe/0x20 [ 4093.900275] pciiovremovevirtfn+0x187/0x420 [ 4093.900277] ? pciiovaddvirtfn+0xe10/0xe10 [ 4093.900278] ? pcigetsubsys+0x90/0x90 [ 4093.900280] sriovdisable+0xed/0x3e0 [ 4093.900282] ? busfinddevice+0x12d/0x1a0 [ 4093.900290] i40efreevfs+0x754/0x1210 [i40e] [ 4093.900298] ? i40eresetallvfs+0x880/0x880 [i40e] [ 4093.900299] ? pcigetdevice+0x7c/0x90 [ 4093.900300] ? pcigetsubsys+0x90/0x90 [ 4093.900306] ? pcivfs_assigned.part.7+0x144/0x210 [ 4093.900309] ? __mutexlockslowpath+0x10/0x10 [ 4093.900315] i40epcisriovconfigure+0x1fa/0x2e0 [i40e] [ 4093.900318] sriovnumvfsstore+0x214/0x290 [ 4093.900320] ? sriovtotalvfs_show+0x30/0x30 [ 4093.900321] ? __mutexlockslowpath+0x10/0x10 [ 4093.900323] ? __checkobjectsize+0x15a/0x350 [ 4093.900326] kernfsfopwrite+0x280/0x3f0 [ 4093.900329] vfswrite+0x145/0x440 [ 4093.900330] ksyswrite+0xab/0x160 [ 4093.900332] ? __ia32sysread+0xb0/0xb0 [ 4093.900334] ? fputmany+0x1a/0x120 [ 4093.900335] ? filpclose+0xf0/0x130 [ 4093.900338] dosyscall64+0xa0/0x370 [ 4093.900339] ? pagefault+0x8/0x30 [ 4093.900341] entrySYSCALL64afterhwframe+0x65/0xca [ 4093.900357] RIP: 0033:0x7f16ad4d22c0 [ 4093.900359] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24 [ 4093.900360] RSP: 002b:00007ffd6491b7f8 EFLAGS: 00000246 ORIGRAX: 0000000000000001 [ 4093.900362] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f16ad4d22c0 [ 4093.900363] RDX: 0000000000000002 RSI: 0000000001a41408 RDI: 0000000000000001 [ 4093.900364] RBP: 0000000001a41408 R08: 00007f16ad7a1780 R09: 00007f16ae1f2700 [ 4093.9003 ---truncated---