lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <67230006-7532-3dbf-7f12-875de7db8312@pengutronix.de>
Date:   Mon, 1 Mar 2021 15:26:09 +0100
From:   Marc Kleine-Budde <mkl@...gutronix.de>
To:     Tong Zhang <ztong0001@...il.com>,
        Wolfgang Grandegger <wg@...ndegger.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>, linux-can@...r.kernel.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] can: c_can_pci: fix use-after-free

On 3/1/21 3:45 AM, Tong Zhang wrote:
> There is a UAF in c_can_pci_remove().
> dev is released by free_c_can_dev() and is used by
> pci_iounmap(pdev, priv->base) later.
> To fix this issue, save the mmio address before releasing dev.
> 
> [ 1795.746699] ==================================================================
> [ 1795.747093] BUG: KASAN: use-after-free in c_can_pci_remove+0x34/0x70 [c_can_pci]
> [ 1795.747503] Read of size 8 at addr ffff888103db0be8 by task modprobe/98
> [ 1795.747867]
> [ 1795.747957] CPU: 0 PID: 98 Comm: modprobe Not tainted 5.11.0-11746-g06d5d309a3f1-dirty #56
> [ 1795.748410] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-48-gd9c812dda519-4
> [ 1795.749025] Call Trace:
> [ 1795.749176]  dump_stack+0x8a/0xb5
> [ 1795.749385]  print_address_description.constprop.0+0x1a/0x140
> [ 1795.749713]  ? c_can_pci_remove+0x34/0x70 [c_can_pci]
> [ 1795.750001]  ? c_can_pci_remove+0x34/0x70 [c_can_pci]
> [ 1795.750285]  kasan_report.cold+0x7f/0x111
> [ 1795.750513]  ? c_can_pci_remove+0x34/0x70 [c_can_pci]
> [ 1795.750797]  c_can_pci_remove+0x34/0x70 [c_can_pci]
> [ 1795.751071]  pci_device_remove+0x62/0xe0
> [ 1795.751308]  device_release_driver_internal+0x148/0x270
> [ 1795.751609]  driver_detach+0x76/0xe0
> [ 1795.751812]  bus_remove_driver+0x7e/0x100
> [ 1795.752051]  pci_unregister_driver+0x28/0xf0
> [ 1795.752286]  __x64_sys_delete_module+0x268/0x300
> [ 1795.752547]  ? __ia32_sys_delete_module+0x300/0x300
> [ 1795.752815]  ? call_rcu+0x3e4/0x580
> [ 1795.753014]  ? fpregs_assert_state_consistent+0x4d/0x60
> [ 1795.753305]  ? exit_to_user_mode_prepare+0x2f/0x130
> [ 1795.753574]  do_syscall_64+0x33/0x40
> [ 1795.753782]  entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 1795.754060] RIP: 0033:0x7f033332dcf7
> [ 1795.754257] Code: 48 89 57 30 48 8b 04 24 48 89 47 38 e9 1d a0 02 00 48 89 f8 48 89 f7 48 89 d6 41
> [ 1795.755248] RSP: 002b:00007ffd06037208 EFLAGS: 00000202 ORIG_RAX: 00000000000000b0
> [ 1795.755655] RAX: ffffffffffffffda RBX: 00007f03333ab690 RCX: 00007f033332dcf7
> [ 1795.756038] RDX: 00000000ffffffff RSI: 0000000000000080 RDI: 0000000000d20b10
> [ 1795.756420] RBP: 0000000000d20ac0 R08: 2f2f2f2f2f2f2f2f R09: 0000000000d20ac0
> [ 1795.756801] R10: fefefefefefefeff R11: 0000000000000202 R12: 0000000000d20ac0
> [ 1795.757183] R13: 0000000000d2abf0 R14: 0000000000000000 R15: 0000000000000001
> [ 1795.757565]
> [ 1795.757651] The buggy address belongs to the page:
> [ 1795.757912] page:(____ptrval____) refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn0
> [ 1795.758427] flags: 0x200000000000000()
> [ 1795.758633] raw: 0200000000000000 ffffea00040f7608 ffff88817fffab18 0000000000000000
> [ 1795.759047] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000
> [ 1795.759460] page dumped because: kasan: bad access detected
> [ 1795.759759]
> [ 1795.759845] Memory state around the buggy address:
> [ 1795.760104]  ffff888103db0a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [ 1795.760490]  ffff888103db0b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [ 1795.760878] >ffff888103db0b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [ 1795.761264]                                                           ^
> [ 1795.761618]  ffff888103db0c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [ 1795.762007]  ffff888103db0c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [ 1795.762392] ==================================================================

I've removed the kasan report, as your problem description is sufficient.

> 
> Signed-off-by: Tong Zhang <ztong0001@...il.com>
> ---
>  drivers/net/can/c_can/c_can_pci.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/can/c_can/c_can_pci.c b/drivers/net/can/c_can/c_can_pci.c
> index 406b4847e5dc..a378383a99fb 100644
> --- a/drivers/net/can/c_can/c_can_pci.c
> +++ b/drivers/net/can/c_can/c_can_pci.c
> @@ -239,12 +239,13 @@ static void c_can_pci_remove(struct pci_dev *pdev)
>  {
>  	struct net_device *dev = pci_get_drvdata(pdev);
>  	struct c_can_priv *priv = netdev_priv(dev);
> -
> +	void __iomem *addr = priv->base;
> +  

Please don't add trailing whitespace.

I've removed them while applying.

Marc

-- 
Pengutronix e.K.                 | Marc Kleine-Budde           |
Embedded Linux                   | https://www.pengutronix.de  |
Vertretung West/Dortmund         | Phone: +49-231-2826-924     |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-5555 |



Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ