lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 30 Apr 2021 17:10:02 -0700
From:   Govindarajulu Varadarajan <govind.varadar@...il.com>
To:     lyl2019@...l.ustc.edu.cn, benve@...co.com, davem@...emloft.net,
        kuba@...nel.org
Cc:     netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [BUG] ethernet:enic: A use after free bug in
 enic_hard_start_xmit

On Tue, 2021-04-27 at 10:55 +0800, lyl2019@...l.ustc.edu.cn wrote:
> Hi, maintainers.
>     Our code analyzer reported a uaf bug, but it is a little
> difficult for me to fix it directly.
> 
> File: drivers/net/ethernet/cisco/enic/enic_main.c
> In enic_hard_start_xmit, it calls enic_queue_wq_skb(). Inside
> enic_queue_wq_skb, if some error happens, the skb will be freed
> by dev_kfree_skb(skb). But the freed skb is still used in 
> skb_tx_timestamp(skb).
> 
> ```
>         enic_queue_wq_skb(enic, wq, skb);// skb could freed here
> 
>         if (vnic_wq_desc_avail(wq) < MAX_SKB_FRAGS + ENIC_DESC_MAX_SPLITS)
>                 netif_tx_stop_queue(txq);
>         skb_tx_timestamp(skb); // freed skb is used here.
> ```
> Bug introduced by fb7516d42478e ("enic: add sw timestamp support").

Thank you for reporting this.

One solution is to make enic_queue_wq_skb() return error and goto spin_unlock()
incase of error.

Would you like to send the fix for this?

--
Govind

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ