• Lin Ma's avatar
    NFC: reorder the logic in nfc_{un,}register_device · 3e3b5dfc
    Lin Ma authored
    There is a potential UAF between the unregistration routine and the NFC
    netlink operations.
    
    The race that cause that UAF can be shown as below:
    
     (FREE)                      |  (USE)
    nfcmrvl_nci_unregister_dev   |  nfc_genl_dev_up
      nci_close_device           |
      nci_unregister_device      |    nfc_get_device
        nfc_unregister_device    |    nfc_dev_up
          rfkill_destory         |
          device_del             |      rfkill_blocked
      ...                        |    ...
    
    The root cause for this race is concluded below:
    1. The rfkill_blocked (USE) in nfc_dev_up is supposed to be placed after
    the device_is_registered check.
    2. Since the netlink operations are possible just after the device_add
    in nfc_register_device, the nfc_dev_up() can happen anywhere during the
    rfkill creation process, which leads to data race.
    
    This patch reorder these actions to permit
    1. Once device_del is finished, the nfc_dev_up cannot dereference the
    rfkill object.
    2. The rfkill_register need to be placed after the device_add of nfc_dev
    because the parent device need to be created first. So this patch keeps
    the order but inject device_lock to prevent the data race.
    Signed-off-by: default avatarLin Ma <linma@zju.edu.cn>
    Fixes: be055b2f ("NFC: RFKILL support")
    Reviewed-by: default avatarJakub Kicinski <kuba@kernel.org>
    Reviewed-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
    Link: https://lore.kernel.org/r/20211116152652.19217-1-linma@zju.edu.cnSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
    3e3b5dfc
core.c 24.7 KB