lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 26 Apr 2021 07:26:45 +0000
From:   "Bernard Metzler" <BMT@...ich.ibm.com>
To:     "Lv Yunlong" <lyl2019@...l.ustc.edu.cn>
Cc:     "dledford" <dledford@...hat.com>, "jgg" <jgg@...pe.ca>,
        "linux-rdma" <linux-rdma@...r.kernel.org>,
        "linux-kernel" <linux-kernel@...r.kernel.org>, leon@...nel.org
Subject: Re: [PATCH v2] rdma/siw: Fix a use after free in siw_alloc_mr

-----"Lv Yunlong" <lyl2019@...l.ustc.edu.cn> wrote: -----

>To: bmt@...ich.ibm.com, dledford@...hat.com, jgg@...pe.ca
>From: "Lv Yunlong" <lyl2019@...l.ustc.edu.cn>
>Date: 04/26/2021 03:17AM
>Cc: linux-rdma@...r.kernel.org, linux-kernel@...r.kernel.org, "Lv
>Yunlong" <lyl2019@...l.ustc.edu.cn>
>Subject: [EXTERNAL] [PATCH v2] rdma/siw: Fix a use after free in
>siw_alloc_mr
>
>Our code analyzer reported a uaf.
>
>In siw_alloc_mr, it calls siw_mr_add_mem(mr,..). In the
>implementation
>of siw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed
>via kfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point
>to a freed object. After, the execution continue up to the err_out
>branch
>of siw_alloc_mr, and the freed mr->mem is used in
>siw_mr_drop_mem(mr).
>
>My patch moves "mr->mem = mem" behind the if (xa_alloc_cyclic(..)<0)
>{}
>section, to avoid the uaf.
>
>Fixes: 2251334dcac9e ("rdma/siw: application buffer management")
>Signed-off-by: Lv Yunlong <lyl2019@...l.ustc.edu.cn>
>---
> drivers/infiniband/sw/siw/siw_mem.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
>diff --git a/drivers/infiniband/sw/siw/siw_mem.c
>b/drivers/infiniband/sw/siw/siw_mem.c
>index 34a910cf0edb..96b38cfbb513 100644
>--- a/drivers/infiniband/sw/siw/siw_mem.c
>+++ b/drivers/infiniband/sw/siw/siw_mem.c
>@@ -106,8 +106,6 @@ int siw_mr_add_mem(struct siw_mr *mr, struct
>ib_pd *pd, void *mem_obj,
> 	mem->perms = rights & IWARP_ACCESS_MASK;
> 	kref_init(&mem->ref);
> 
>-	mr->mem = mem;
>-
> 	get_random_bytes(&next, 4);
> 	next &= 0x00ffffff;
> 
>@@ -116,6 +114,8 @@ int siw_mr_add_mem(struct siw_mr *mr, struct
>ib_pd *pd, void *mem_obj,
> 		kfree(mem);
> 		return -ENOMEM;
> 	}
>+
>+	mr->mem = mem;
> 	/* Set the STag index part */
> 	mem->stag = id << 8;
> 	mr->base_mr.lkey = mr->base_mr.rkey = mem->stag;
>-- 
>2.25.1
>
>
>
Lv Yunlong, many thanks for catching, and thanks to
Leon for improving it.

Reviewed-by: Bernard Metzler <bmt@...ich.ihm.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ