CVE-2022-50220

Summary

In the Linux kernel, the following vulnerability has been resolved:

usbnet: Fix linkwatch use-after-free on disconnect

usbnet uses the work usbnet_deferred_kevent() to perform tasks which may sleep. On disconnect, completion of the work was originally awaited in ->ndo_stop(). But in 2003, that was moved to ->disconnect() by historic commit "[PATCH] USB: usbnet, prevent exotic rtnl deadlock":

https://git.kernel.org/tglx/history/c/0f138bbfd83c

The change was made because back then, the kernel's workqueue implementation did not allow waiting for a single work. One had to wait for completion of all work by calling flush_scheduled_work(), and that could deadlock when waiting for usbnet_deferred_kevent() with rtnl_mutex held in ->ndo_stop().

The commit solved one problem but created another: It causes a use-after-free in USB Ethernet drivers aqc111.c, asix_devices.c, ax88179_178a.c, ch9200.c and smsc75xx.c:

  • If the drivers receive a link change interrupt immediately before disconnect, they raise EVENT_LINK_RESET in their (non-sleepable) ->status() callback and schedule usbnet_deferred_kevent().
  • usbnet_deferred_kevent() invokes the driver's ->link_reset() callback, which calls netif_carrier_{on,off}().
  • That in turn schedules the work linkwatch_event().

Because usbnet_deferred_kevent() is awaited after unregister_netdev(), netif_carrier_{on,off}() may operate on an unregistered netdev and linkwatch_event() may run after free_netdev(), causing a use-after-free.

In 2010, usbnet was changed to only wait for a single instance of usbnet_deferred_kevent() instead of all work by commit 23f333a2bfaf ("drivers/net: don't use flush_scheduled_work()").

Unfortunately the commit neglected to move the wait back to ->ndo_stop(). Rectify that omission at long last.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux23f333a2bfafba80339315b724808982a9de57d9 < d2d6b530d89b0a912148018027386aa049f0a309affected
LinuxLinux23f333a2bfafba80339315b724808982a9de57d9 < e2a521a7dcc463c5017b4426ca0804e151faeff7affected
LinuxLinux23f333a2bfafba80339315b724808982a9de57d9 < 7f77dcbc030c2faa6d8e8a594985eeb34018409eaffected
LinuxLinux23f333a2bfafba80339315b724808982a9de57d9 < 8b4588b8b00b299be16a35be67b331d8fdba03f3affected
LinuxLinux23f333a2bfafba80339315b724808982a9de57d9 < 135199a2edd459d2b123144efcd7f9bcd95128e4affected
LinuxLinux23f333a2bfafba80339315b724808982a9de57d9 < 635fd8953e4309b54ca6a81bed1d4a87668694f4affected
LinuxLinux23f333a2bfafba80339315b724808982a9de57d9 < d49bb8cf9bfaa06aa527eb30f1a52a071da2e32faffected
LinuxLinux23f333a2bfafba80339315b724808982a9de57d9 < db3b738ae5f726204876f4303c49cfdf4311403faffected
LinuxLinux23f333a2bfafba80339315b724808982a9de57d9 < a69e617e533edddf3fa3123149900f36e0a6dc74affected
LinuxLinux2.6.38affected
LinuxLinux0 < 2.6.38unaffected
LinuxLinux4.9.326 <= 4.9.*unaffected
LinuxLinux4.14.291 <= 4.14.*unaffected
LinuxLinux4.19.256 <= 4.19.*unaffected
LinuxLinux5.4.211 <= 5.4.*unaffected
LinuxLinux5.10.137 <= 5.10.*unaffected
LinuxLinux5.15.61 <= 5.15.*unaffected
LinuxLinux5.18.18 <= 5.18.*unaffected
LinuxLinux5.19.2 <= 5.19.*unaffected
LinuxLinux6.0 <= *unaffected

Weaknesses

References