| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Oct 2022 12:20:43 +0000
From: "Ruhl, Michael J" <michael.j.ruhl@...el.com>
To: Kees Cook <keescook@...omium.org>,
"Ruhl@....outflux.net" <Ruhl@....outflux.net>
CC: "Brandeburg, Jesse" <jesse.brandeburg@...el.com>,
"Nguyen, Anthony L" <anthony.l.nguyen@...el.com>,
"David S. Miller" <davem@...emloft.net>,
"Eric Dumazet" <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
"intel-wired-lan@...ts.osuosl.org" <intel-wired-lan@...ts.osuosl.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-hardening@...r.kernel.org" <linux-hardening@...r.kernel.org>
Subject: RE: [PATCH v3 1/2] igb: Do not free q_vector unless new one was
allocated
>-----Original Message-----
>From: Kees Cook <keescook@...omium.org>
>Sent: Tuesday, October 18, 2022 5:25 AM
>To: Ruhl@....outflux.net; Ruhl, Michael J <michael.j.ruhl@...el.com>
>Cc: Kees Cook <keescook@...omium.org>; Brandeburg, Jesse
><jesse.brandeburg@...el.com>; Nguyen, Anthony L
><anthony.l.nguyen@...el.com>; David S. Miller <davem@...emloft.net>;
>Eric Dumazet <edumazet@...gle.com>; Jakub Kicinski <kuba@...nel.org>;
>Paolo Abeni <pabeni@...hat.com>; intel-wired-lan@...ts.osuosl.org;
>netdev@...r.kernel.org; linux-kernel@...r.kernel.org; linux-
>hardening@...r.kernel.org
>Subject: [PATCH v3 1/2] igb: Do not free q_vector unless new one was
>allocated
>
>Avoid potential use-after-free condition under memory pressure. If the
>kzalloc() fails, q_vector will be freed but left in the original
>adapter->q_vector[v_idx] array position.
>
>Cc: Jesse Brandeburg <jesse.brandeburg@...el.com>
>Cc: Tony Nguyen <anthony.l.nguyen@...el.com>
>Cc: "David S. Miller" <davem@...emloft.net>
>Cc: Eric Dumazet <edumazet@...gle.com>
>Cc: Jakub Kicinski <kuba@...nel.org>
>Cc: Paolo Abeni <pabeni@...hat.com>
>Cc: intel-wired-lan@...ts.osuosl.org
>Cc: netdev@...r.kernel.org
>Signed-off-by: Kees Cook <keescook@...omium.org>
>---
> drivers/net/ethernet/intel/igb/igb_main.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
>diff --git a/drivers/net/ethernet/intel/igb/igb_main.c
>b/drivers/net/ethernet/intel/igb/igb_main.c
>index f8e32833226c..6256855d0f62 100644
>--- a/drivers/net/ethernet/intel/igb/igb_main.c
>+++ b/drivers/net/ethernet/intel/igb/igb_main.c
>@@ -1202,8 +1202,12 @@ static int igb_alloc_q_vector(struct igb_adapter
>*adapter,
> if (!q_vector) {
> q_vector = kzalloc(size, GFP_KERNEL);
> } else if (size > ksize(q_vector)) {
>- kfree_rcu(q_vector, rcu);
>- q_vector = kzalloc(size, GFP_KERNEL);
>+ struct igb_q_vector *new_q_vector;
>+
>+ new_q_vector = kzalloc(size, GFP_KERNEL);
>+ if (new_q_vector)
>+ kfree_rcu(q_vector, rcu);
>+ q_vector = new_q_vector;
Ok, that makes more sense to me.
Reviewed-by: Michael J. Ruhl <michael.j.ruhl@...el.com>
Mike
> } else {
> memset(q_vector, 0, size);
> }
>--
>2.34.1
Powered by blists - more mailing lists