In the Linux kernel, a recent vulnerability (CVE-2024-26895) has been identified and resolved, focusing on the WiFi WILC100 chip. This vulnerability is related to the use-after-free on the virtual interface (vif) within the wilc_netdev_cleanup function, which gets triggered during the interface registration error path when either removing the module or unbinding the device from the driver.

The vulnerability's origin traces back to a KASAN (Kernel Address Sanitizer) warning, which observed the use-after-free issue in the affected code. The detection of this issue led to the introduction of a patch to fix this vulnerability by implementing two mechanisms: list navigation with list_for_each_entry_safe and waiting for RCU (Read-Copy-Update) grace period to end after each vif removal.

For more context, here's a snippet of code showing the use-after-free in wilc_netdev_cleanup

BUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+x508/x5cc
Read of size 4 at addr c54d1ce8 by task sh/86

CPU:  PID: 86 Comm: sh Not tainted 6.8.-rc1+ #117
Hardware name: Atmel SAMA5
unwind_backtrace from show_stack+x18/x1c
show_stack from dump_stack_lvl+x34/x58
dump_stack_lvl from print_report+x154/x500
print_report from kasan_report+xac/xd8

Investigation into the vulnerability done by David Mosberger-Tan [1] revealed that the use-after-free occurrence was due to the netdevice unregistration during vif list traversal. This caused the corresponding vif object to be freed as well, and in the next loop iteration, the code would try to access the freed vif pointer. The fix for this vulnerability uses list_for_each_entry_safe to navigate in the list safely, allowing list modifications on-the-fly. Additionally, the patch ensures waiting for the RCU grace period to end after each vif removal, thus guaranteeing it is safe to free the corresponding vif through unregister_netdev.

Using list_for_each_entry_safe allows for a safer and more efficient approach when dealing with the list traversal, as it supports concurrent modifications. Furthermore, because the list modification is not concurrent with any other modification and is protected with the vif_mutex lock, there is no need to use RCU list API, allowing for better utilization of the list_for_each_entry_safe function.

With this patch applied, the vulnerability (CVE-2024-26895) in the Linux Kernel related to WiFi WILC100 and use-after-free on vif has been addressed and resolved.

[1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5dea3b2ca21f275a07af967d2.camel@egauge.net/

Timeline

Published on: 04/17/2024 11:15:10 UTC
Last modified on: 11/21/2024 09:03:19 UTC