Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
From:   Taehee Yoo <ap420073@gmail.com>
To:     johannes@sipsolutions.net, kvalo@codeaurora.org,
        linux-wireless@vger.kernel.org
Cc:     ap420073@gmail.com
Subject: [PATCH mac80211] virt_wifi: fix use-after-free in virt_wifi_newlink()
Date:   Thu, 21 Nov 2019 12:26:45 +0000
Message-Id: <20191121122645.9355-1-ap420073@gmail.com>
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk

When virt_wifi interface is created, virt_wifi_newlink() is called and
it calls register_netdevice().
if register_netdevice() fails, it internally would call
->priv_destructor(), which is virt_wifi_net_device_destructor() and
it frees netdev. but virt_wifi_newlink() still use netdev.
So, use-after-free would occur in virt_wifi_newlink().

Test commands:
    ip link add dummy0 type dummy
    modprobe bonding
    ip link add bonding_masters link dummy0 type virt_wifi

Splat looks like:
[  202.220554] BUG: KASAN: use-after-free in virt_wifi_newlink+0x88b/0x9a0 [virt_wifi]
[  202.221659] Read of size 8 at addr ffff888061629cb8 by task ip/852

[  202.222896] CPU: 1 PID: 852 Comm: ip Not tainted 5.4.0-rc5 #3
[  202.223765] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[  202.225073] Call Trace:
[  202.225532]  dump_stack+0x7c/0xbb
[  202.226073]  ? virt_wifi_newlink+0x88b/0x9a0 [virt_wifi]
[  202.226869]  print_address_description.constprop.5+0x1be/0x360
[  202.227759]  ? virt_wifi_newlink+0x88b/0x9a0 [virt_wifi]
[  202.228550]  ? virt_wifi_newlink+0x88b/0x9a0 [virt_wifi]
[  202.229362]  __kasan_report+0x12a/0x16f
[  202.229980]  ? virt_wifi_newlink+0x88b/0x9a0 [virt_wifi]
[  202.230714]  kasan_report+0xe/0x20
[  202.232595]  virt_wifi_newlink+0x88b/0x9a0 [virt_wifi]
[  202.233370]  __rtnl_newlink+0xb9f/0x11b0
[  202.233929]  ? rtnl_link_unregister+0x220/0x220
[  202.234668]  ? lock_acquire+0x164/0x3b0
[  202.235344]  ? rtnl_newlink+0x4c/0x90
[  202.235923]  ? is_bpf_text_address+0x86/0xf0
[  202.236588]  ? kernel_text_address+0x111/0x120
[  202.237291]  ? __lock_acquire+0xdfe/0x3de0
[  202.237834]  ? __kernel_text_address+0xe/0x30
[  202.238414]  ? unwind_get_return_address+0x5f/0xa0
[  202.239207]  ? create_prof_cpu_mask+0x20/0x20
[  202.240163]  ? arch_stack_walk+0x83/0xb0
[  202.240916]  ? stack_trace_save+0x82/0xb0
[  202.241640]  ? stack_trace_consume_entry+0x160/0x160
[  202.242595]  ? rtnl_newlink+0x4c/0x90
[  202.243499]  ? kasan_unpoison_shadow+0x30/0x40
[  202.244192]  ? kmem_cache_alloc_trace+0x12c/0x320
[  202.244909]  rtnl_newlink+0x65/0x90
[ ... ]

Fixes: c7cdba31ed8b ("mac80211-next: rtnetlink wifi simulation device")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
---
 drivers/net/wireless/virt_wifi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/virt_wifi.c b/drivers/net/wireless/virt_wifi.c
index 7997cc6de334..01305ba2d3aa 100644
--- a/drivers/net/wireless/virt_wifi.c
+++ b/drivers/net/wireless/virt_wifi.c
@@ -450,7 +450,6 @@ static void virt_wifi_net_device_destructor(struct net_device *dev)
 	 */
 	kfree(dev->ieee80211_ptr);
 	dev->ieee80211_ptr = NULL;
-	free_netdev(dev);
 }
 
 /* No lock interaction. */
@@ -458,7 +457,7 @@ static void virt_wifi_setup(struct net_device *dev)
 {
 	ether_setup(dev);
 	dev->netdev_ops = &virt_wifi_ops;
-	dev->priv_destructor = virt_wifi_net_device_destructor;
+	dev->needs_free_netdev  = true;
 }
 
 /* Called in a RCU read critical section from netif_receive_skb */
@@ -544,6 +543,7 @@ static int virt_wifi_newlink(struct net *src_net, struct net_device *dev,
 		goto unregister_netdev;
 	}
 
+	dev->priv_destructor = virt_wifi_net_device_destructor;
 	priv->being_deleted = false;
 	priv->is_connected = false;
 	priv->is_up = false;
-- 
2.17.1