Recently, a vulnerability in the Linux kernel was discovered and fixed. This vulnerability involved the net: dsa: ar9331 system. Specifically, the issue arose when mdiobus_free() was not unregistered, causing it to panic when called through devm_mdiobus_free() within __device_release_driver().

Problem

Previously, the ar9331 MDIO device might panic during shutdown if the DSA master itself were on a bus that called ->remove from ->shutdown. This occurred due to an active device link between the switch and the DSA master, resulting in the unbinding of the ar9331 switch driver when device_links_unbind_consumers() was called during shutdown.

Solution

To fix this vulnerability, the ar9331 driver needed to have a change in its mdiobus allocation and registration. The chosen approach was taken from earlier commits:

5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres")

The solution was to use devres for both the mdiobus allocation and registration or avoid using devres altogether.

This is the code snippet showing the changes made to the ar9331 driver in order to fix the issue

/* Replace of_mdiobus_register with devm_of_mdiobus_register */
err = devm_of_mdiobus_register(dev, ar9331_sw->mii_bus, np);
if (err) {
       dev_err(dev, "Failed to register mdiobus: %d\n", err);
       return err;
}

This change ensures that the mdiobus_free() function does not panic when called, as it is correctly unregistered beforehand.

Exploit Details

As this vulnerability applies only to certain specific scenarios, exploiting it would be relatively difficult. An attacker would need to target systems with the DSA master on a bus that calls ->remove from ->shutdown and where the ar9331 switch driver is not unbound. Still, addressing this issue is necessary to ensure a more secure and stable Linux kernel.

Conclusion

The recent discovery of the CVE-2022-48817 vulnerability in the Linux kernel helped enhance the stability of the kernel in certain situations. By applying the fix that registers the mdiobus under devres, developers can avoid panics caused by the still-registered bus. This ultimately leads to a more reliable and secure operating environment for Linux users.

Original References & Further Reading

- Commit 74b6d7d13307: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=74b6d7d133077b435f657025179a4ab2e13d399c
- Commit 5135e96a3dd2: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5135e96a3dd211ebe3e007de30fd7c4ae58034ed

Timeline

Published on: 07/16/2024 12:15:05 UTC
Last modified on: 07/16/2024 13:43:58 UTC