| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 31 Jul 2018 15:46:01 +0200
From: Johannes Thumshirn <jthumshirn@...e.de>
To: "Martin K . Petersen" <martin.petersen@...cle.com>
Cc: Linux Kernel Mailinglist <linux-kernel@...r.kernel.org>,
Linux SCSI Mailinglist <linux-scsi@...r.kernel.org>,
ard <ard@...ak.net>, Johannes Thumshirn <jthumshirn@...e.de>
Subject: [PATCH 1/3] fcoe: fix use-after-free in fcoe_ctlr_els_send
KASAN reports a use-after-free in fcoe_ctlr_els_send() when we're
sending a LOGO and have FIP debugging enabled. This is because we're
first freeing the skb and then printing the frame's DID. But the DID
is a member of the FC frame header which in turn is the skb's payload.
Exchange the debug print and kfree_skb() calls so we're not touching
the freed data.
Signed-off-by: Johannes Thumshirn <jthumshirn@...e.de>
---
drivers/scsi/fcoe/fcoe_ctlr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/fcoe/fcoe_ctlr.c b/drivers/scsi/fcoe/fcoe_ctlr.c
index ea23c8dffc25..ceb35ebbeb8f 100644
--- a/drivers/scsi/fcoe/fcoe_ctlr.c
+++ b/drivers/scsi/fcoe/fcoe_ctlr.c
@@ -799,9 +799,9 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr *fip, struct fc_lport *lport,
fip->send(fip, skb);
return -EINPROGRESS;
drop:
- kfree_skb(skb);
LIBFCOE_FIP_DBG(fip, "drop els_send op %u d_id %x\n",
op, ntoh24(fh->fh_d_id));
+ kfree_skb(skb);
return -EINVAL;
}
EXPORT_SYMBOL(fcoe_ctlr_els_send);
--
2.16.4
Powered by blists - more mailing lists