Re: [PATCH] drivers/net/ethernet/neterion/vxge: Fix a use-after-free bug in vxge-main.c

From: wentao_liang_g
Date: Sun Jun 19 2022 - 02:24:18 EST


Hi,

I have replied your mail and answered your questions about my
patch a few days ago as follow. Do you have any more question?
I have already renewed the patch with the correct subject and tag.

I am looking forward to the patch being accepted and merged.
 
Thanks
 
Wentao
 
 
>No errors happening during a test is not a sufficient proof of
>correctness. You need to analyze the driver and figure out what bar0
>is used for.
 
Bar0 is a Base Address Register (BAR) in PCIe devices. It points
to the memory space of the device. When the device is removed,
we need to iounmap it. We check the related code and do not find
bar0 is reference in the remaining part of vxge_remove(). We believe
move the iounmap to the front of vxge_device_unregister is properly.
 
 
>Alternatively just save the address of bar0 to a local variable, let
>the netdev unregister happen, and then call *unmap() on the local
>variable. That won't move the unmap and avoid the UAF.
 
This is not a right way to patch the bug. The UAF is not triggered
by accessing the address itself but accessing the memory pointed
by bar0. Even if the address is saved, the memory is still freed.
Accessing the memory in iounmap will result in UAF as well. The
experiment also proved it.
 
>But please LMK how you use these cards first.
 
In order to trigger the vulnerability, a vxge device is required.
We use QEMU to emulate the device.
 
Besides, I want to point out that the UAF bug does is in the remove
routine of the device. There is not any operation to a removed device.
If the device can be removed safely in the patched kernel, we do not
have to warry about anything else.