lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 18 Oct 2022 12:20:43 +0000
From:   "Ruhl, Michael J" <michael.j.ruhl@...el.com>
To:     Kees Cook <keescook@...omium.org>,
        "Ruhl@....outflux.net" <Ruhl@....outflux.net>
CC:     "Brandeburg, Jesse" <jesse.brandeburg@...el.com>,
        "Nguyen, Anthony L" <anthony.l.nguyen@...el.com>,
        "David S. Miller" <davem@...emloft.net>,
        "Eric Dumazet" <edumazet@...gle.com>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>,
        "intel-wired-lan@...ts.osuosl.org" <intel-wired-lan@...ts.osuosl.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-hardening@...r.kernel.org" <linux-hardening@...r.kernel.org>
Subject: RE: [PATCH v3 1/2] igb: Do not free q_vector unless new one was
 allocated

>-----Original Message-----
>From: Kees Cook <keescook@...omium.org>
>Sent: Tuesday, October 18, 2022 5:25 AM
>To: Ruhl@....outflux.net; Ruhl, Michael J <michael.j.ruhl@...el.com>
>Cc: Kees Cook <keescook@...omium.org>; Brandeburg, Jesse
><jesse.brandeburg@...el.com>; Nguyen, Anthony L
><anthony.l.nguyen@...el.com>; David S. Miller <davem@...emloft.net>;
>Eric Dumazet <edumazet@...gle.com>; Jakub Kicinski <kuba@...nel.org>;
>Paolo Abeni <pabeni@...hat.com>; intel-wired-lan@...ts.osuosl.org;
>netdev@...r.kernel.org; linux-kernel@...r.kernel.org; linux-
>hardening@...r.kernel.org
>Subject: [PATCH v3 1/2] igb: Do not free q_vector unless new one was
>allocated
>
>Avoid potential use-after-free condition under memory pressure. If the
>kzalloc() fails, q_vector will be freed but left in the original
>adapter->q_vector[v_idx] array position.
>
>Cc: Jesse Brandeburg <jesse.brandeburg@...el.com>
>Cc: Tony Nguyen <anthony.l.nguyen@...el.com>
>Cc: "David S. Miller" <davem@...emloft.net>
>Cc: Eric Dumazet <edumazet@...gle.com>
>Cc: Jakub Kicinski <kuba@...nel.org>
>Cc: Paolo Abeni <pabeni@...hat.com>
>Cc: intel-wired-lan@...ts.osuosl.org
>Cc: netdev@...r.kernel.org
>Signed-off-by: Kees Cook <keescook@...omium.org>
>---
> drivers/net/ethernet/intel/igb/igb_main.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
>diff --git a/drivers/net/ethernet/intel/igb/igb_main.c
>b/drivers/net/ethernet/intel/igb/igb_main.c
>index f8e32833226c..6256855d0f62 100644
>--- a/drivers/net/ethernet/intel/igb/igb_main.c
>+++ b/drivers/net/ethernet/intel/igb/igb_main.c
>@@ -1202,8 +1202,12 @@ static int igb_alloc_q_vector(struct igb_adapter
>*adapter,
> 	if (!q_vector) {
> 		q_vector = kzalloc(size, GFP_KERNEL);
> 	} else if (size > ksize(q_vector)) {
>-		kfree_rcu(q_vector, rcu);
>-		q_vector = kzalloc(size, GFP_KERNEL);
>+		struct igb_q_vector *new_q_vector;
>+
>+		new_q_vector = kzalloc(size, GFP_KERNEL);
>+		if (new_q_vector)
>+			kfree_rcu(q_vector, rcu);
>+		q_vector = new_q_vector;

Ok, that makes more sense to me.

Reviewed-by: Michael J. Ruhl <michael.j.ruhl@...el.com>

Mike


> 	} else {
> 		memset(q_vector, 0, size);
> 	}
>--
>2.34.1

Powered by blists - more mailing lists