| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 1 Mar 2021 15:26:09 +0100
From: Marc Kleine-Budde <mkl@...gutronix.de>
To: Tong Zhang <ztong0001@...il.com>,
Wolfgang Grandegger <wg@...ndegger.com>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>, linux-can@...r.kernel.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] can: c_can_pci: fix use-after-free
On 3/1/21 3:45 AM, Tong Zhang wrote:
> There is a UAF in c_can_pci_remove().
> dev is released by free_c_can_dev() and is used by
> pci_iounmap(pdev, priv->base) later.
> To fix this issue, save the mmio address before releasing dev.
>
> [ 1795.746699] ==================================================================
> [ 1795.747093] BUG: KASAN: use-after-free in c_can_pci_remove+0x34/0x70 [c_can_pci]
> [ 1795.747503] Read of size 8 at addr ffff888103db0be8 by task modprobe/98
> [ 1795.747867]
> [ 1795.747957] CPU: 0 PID: 98 Comm: modprobe Not tainted 5.11.0-11746-g06d5d309a3f1-dirty #56
> [ 1795.748410] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-48-gd9c812dda519-4
> [ 1795.749025] Call Trace:
> [ 1795.749176] dump_stack+0x8a/0xb5
> [ 1795.749385] print_address_description.constprop.0+0x1a/0x140
> [ 1795.749713] ? c_can_pci_remove+0x34/0x70 [c_can_pci]
> [ 1795.750001] ? c_can_pci_remove+0x34/0x70 [c_can_pci]
> [ 1795.750285] kasan_report.cold+0x7f/0x111
> [ 1795.750513] ? c_can_pci_remove+0x34/0x70 [c_can_pci]
> [ 1795.750797] c_can_pci_remove+0x34/0x70 [c_can_pci]
> [ 1795.751071] pci_device_remove+0x62/0xe0
> [ 1795.751308] device_release_driver_internal+0x148/0x270
> [ 1795.751609] driver_detach+0x76/0xe0
> [ 1795.751812] bus_remove_driver+0x7e/0x100
> [ 1795.752051] pci_unregister_driver+0x28/0xf0
> [ 1795.752286] __x64_sys_delete_module+0x268/0x300
> [ 1795.752547] ? __ia32_sys_delete_module+0x300/0x300
> [ 1795.752815] ? call_rcu+0x3e4/0x580
> [ 1795.753014] ? fpregs_assert_state_consistent+0x4d/0x60
> [ 1795.753305] ? exit_to_user_mode_prepare+0x2f/0x130
> [ 1795.753574] do_syscall_64+0x33/0x40
> [ 1795.753782] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 1795.754060] RIP: 0033:0x7f033332dcf7
> [ 1795.754257] Code: 48 89 57 30 48 8b 04 24 48 89 47 38 e9 1d a0 02 00 48 89 f8 48 89 f7 48 89 d6 41
> [ 1795.755248] RSP: 002b:00007ffd06037208 EFLAGS: 00000202 ORIG_RAX: 00000000000000b0
> [ 1795.755655] RAX: ffffffffffffffda RBX: 00007f03333ab690 RCX: 00007f033332dcf7
> [ 1795.756038] RDX: 00000000ffffffff RSI: 0000000000000080 RDI: 0000000000d20b10
> [ 1795.756420] RBP: 0000000000d20ac0 R08: 2f2f2f2f2f2f2f2f R09: 0000000000d20ac0
> [ 1795.756801] R10: fefefefefefefeff R11: 0000000000000202 R12: 0000000000d20ac0
> [ 1795.757183] R13: 0000000000d2abf0 R14: 0000000000000000 R15: 0000000000000001
> [ 1795.757565]
> [ 1795.757651] The buggy address belongs to the page:
> [ 1795.757912] page:(____ptrval____) refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn0
> [ 1795.758427] flags: 0x200000000000000()
> [ 1795.758633] raw: 0200000000000000 ffffea00040f7608 ffff88817fffab18 0000000000000000
> [ 1795.759047] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000
> [ 1795.759460] page dumped because: kasan: bad access detected
> [ 1795.759759]
> [ 1795.759845] Memory state around the buggy address:
> [ 1795.760104] ffff888103db0a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [ 1795.760490] ffff888103db0b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [ 1795.760878] >ffff888103db0b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [ 1795.761264] ^
> [ 1795.761618] ffff888103db0c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [ 1795.762007] ffff888103db0c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [ 1795.762392] ==================================================================
I've removed the kasan report, as your problem description is sufficient.
>
> Signed-off-by: Tong Zhang <ztong0001@...il.com>
> ---
> drivers/net/can/c_can/c_can_pci.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/can/c_can/c_can_pci.c b/drivers/net/can/c_can/c_can_pci.c
> index 406b4847e5dc..a378383a99fb 100644
> --- a/drivers/net/can/c_can/c_can_pci.c
> +++ b/drivers/net/can/c_can/c_can_pci.c
> @@ -239,12 +239,13 @@ static void c_can_pci_remove(struct pci_dev *pdev)
> {
> struct net_device *dev = pci_get_drvdata(pdev);
> struct c_can_priv *priv = netdev_priv(dev);
> -
> + void __iomem *addr = priv->base;
> +
Please don't add trailing whitespace.
I've removed them while applying.
Marc
--
Pengutronix e.K. | Marc Kleine-Budde |
Embedded Linux | https://www.pengutronix.de |
Vertretung West/Dortmund | Phone: +49-231-2826-924 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists