В ядре Linux устранена следующая уязвимость:
xfrm: исправлено перепланирование работы после отмены в xfrm_nat_keepalive_net_fini().
После вызова cancel_delayed_work_sync() из
xfrm_nat_keepalive_net_fini(), xfrm_state_fini() сбрасывает оставшиеся
состояния через __xfrm_state_delete(), который вызывает
xfrm_nat_keepalive_state_updated(), чтобы перепланировать nat_keepalive_work.
Ниже приведен простой сценарий гонки:
процессор0 процессор1
cleanup_net() [Раунд 1]
ops_undo_list()
xfrm_net_exit()
xfrm_nat_keepalive_net_fini()
cancel_delayed_work_sync(nat_keepalive_work);
xfrm_state_fini()
xfrm_state_flush()
xfrm_state_delete (х)
__xfrm_state_delete(х)
xfrm_nat_keepalive_state_updated (х)
Schedule_delayed_work (nat_keepalive_work);
rcu_barrier();
net_complete_free();
net_passive_dec (сеть);
llist_add(&net->defer_free_list, &defer_free_list);
Cleanup_net() [Раунд 2]
rcu_barrier();
net_complete_free()
kmem_cache_free (net_cachep, сеть);
nat_keepalive_work()
// в освобожденной сети
Чтобы предотвратить это, cancel_delayed_work_sync() заменяется на
отключить_delayed_work_sync().
Показать оригинальное описание (EN)
In the Linux kernel, the following vulnerability has been resolved: xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() After cancel_delayed_work_sync() is called from xfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining states via __xfrm_state_delete(), which calls xfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work. The following is a simple race scenario: cpu0 cpu1 cleanup_net() [Round 1] ops_undo_list() xfrm_net_exit() xfrm_nat_keepalive_net_fini() cancel_delayed_work_sync(nat_keepalive_work); xfrm_state_fini() xfrm_state_flush() xfrm_state_delete(x) __xfrm_state_delete(x) xfrm_nat_keepalive_state_updated(x) schedule_delayed_work(nat_keepalive_work); rcu_barrier(); net_complete_free(); net_passive_dec(net); llist_add(&net->defer_free_list, &defer_free_list); cleanup_net() [Round 2] rcu_barrier(); net_complete_free() kmem_cache_free(net_cachep, net); nat_keepalive_work() // on freed net To prevent this, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync().