[SRU][M/F][PATCH 0/1] CVE-2023-6270
Bethany Jamison
bethany.jamison at canonical.com
Mon Apr 29 22:42:17 UTC 2024
[Impact]
aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel.
The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct
net_device`, and a use-after-free can be triggered by racing between the
free on the struct and the access through the `skbtxq` global queue. This
could lead to a denial of service condition or potential code execution.
In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial
code is finished. But the net_device ifp will still be used in
later tx()->dev_queue_xmit() in kthread. Which means that the
dev_put(ifp) should NOT be called in the success path of skb
initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into
use-after-free because the net_device is freed.
This patch removed the dev_put(ifp) in the success path in
aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().
[Fix]
Mantic: Clean cherry-pick from linux-6.6.y.
Jammy: pending
Focal: Mantic patch applied cleanly.
Bionic: fix sent to esm ML
Xenial: fix sent to esm ML
Trusty: not going to be fixed by us
[Test Case]
Compile and boot tested.
[Where problems could occur]
This fix affects those who use the ATA over Ethernet driver, an issue
with this fix would be visable to the user via data corruption or a
system crash.
Chun-Yi Lee (1):
aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
drivers/block/aoe/aoecmd.c | 12 ++++++------
drivers/block/aoe/aoenet.c | 1 +
2 files changed, 7 insertions(+), 6 deletions(-)
--
2.34.1
More information about the kernel-team
mailing list