| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0b9cd54f-cab4-7675-cecf-171d4d45b897@nvidia.com>
Date: Tue, 23 Mar 2021 10:52:07 +0200
From: Maxim Mikityanskiy <maximmi@...dia.com>
To: Lv Yunlong <lyl2019@...l.ustc.edu.cn>, <borisp@...dia.com>,
<saeedm@...dia.com>, <leon@...nel.org>, <davem@...emloft.net>,
<kuba@...nel.org>, <maximmi@...lanox.com>
CC: <netdev@...r.kernel.org>, <linux-rdma@...r.kernel.org>,
<linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] net/mlx5: Fix a potential use after free in
mlx5e_ktls_del_rx
On 2021-03-22 16:21, Lv Yunlong wrote:
> My static analyzer tool reported a potential uaf in
> mlx5e_ktls_del_rx. In this function, if the condition
> cancel_work_sync(&resync->work) is true, and then
> priv_rx could be freed. But priv_rx is used later.
>
> I'm unfamiliar with how this function works. Maybe the
> maintainer forgot to add return after freeing priv_rx?
Thanks for running a static analyzer over our code! Sadly, the fix is
not correct and breaks stuff, and there is no problem with this code.
First of all, mlx5e_ktls_priv_rx_put doesn't necessarily free priv_rx.
It decrements the refcount and frees the object only when the refcount
goes to zero. Unless there are other bugs, the refcount in this branch
is not expected to go to zero, so there is no use-after-free in the code
below. The corresponding elevation of the refcount happens before
queue_work of resync->work. So, no, we haven't forgot to add a return,
we just expect priv_rx to stay alive after this call, and we want to run
the cleanup code below this `if`, while your fix skips the cleanup and
skips the second mlx5e_ktls_priv_rx_put in the end of this function,
leading to a memory leak.
If you'd like to calm down the static analyzer, you could try to add a
WARN_ON assertion to check that mlx5e_ktls_priv_rx_put returns false in
that `if` (meaning that the object hasn't been freed). If would be nice
to have this WARN_ON regardless of static analyzers.
> Fixes: b850bbff96512 ("net/mlx5e: kTLS, Use refcounts to free kTLS RX priv context")
> Signed-off-by: Lv Yunlong <lyl2019@...l.ustc.edu.cn>
> ---
> drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c
> index d06532d0baa4..54a77df42316 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c
> @@ -663,8 +663,10 @@ void mlx5e_ktls_del_rx(struct net_device *netdev, struct tls_context *tls_ctx)
> */
> wait_for_completion(&priv_rx->add_ctx);
> resync = &priv_rx->resync;
> - if (cancel_work_sync(&resync->work))
> + if (cancel_work_sync(&resync->work)) {
> mlx5e_ktls_priv_rx_put(priv_rx);
> + return;
> + }
>
> priv_rx->stats->tls_del++;
> if (priv_rx->rule.rule)
>
Powered by blists - more mailing lists