lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <fd5bacfa-b357-a2e2-f0b2-2098cdc734f2@leemhuis.info>
Date:   Mon, 21 Feb 2022 13:00:40 +0100
From:   Thorsten Leemhuis <regressions@...mhuis.info>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        linux-kernel@...r.kernel.org
Cc:     stable@...r.kernel.org, Stefan Agner <stefan@...er.ch>,
        Wolfgang Walter <linux@...m.de>,
        Jason Self <jason@...ehome.net>,
        Dominik Behr <dominik@...inikbehr.com>,
        Marek Marczykowski-Górecki 
        <marmarek@...isiblethingslab.com>,
        Johannes Berg <johannes.berg@...el.com>,
        Kalle Valo <kvalo@...nel.org>
Subject: Re: [PATCH 5.16 077/227] iwlwifi: fix use-after-free

Hi, this is your Linux kernel regression tracker.

On 21.02.22 09:48, Greg Kroah-Hartman wrote:
> From: Johannes Berg <johannes.berg@...el.com>
> 
> commit bea2662e7818e15d7607d17d57912ac984275d94 upstream.
> 
> If no firmware was present at all (or, presumably, all of the
> firmware files failed to parse), we end up unbinding by calling
> device_release_driver(), which calls remove(), which then in
> iwlwifi calls iwl_drv_stop(), freeing the 'drv' struct. However
> the new code I added will still erroneously access it after it
> was freed.
> 
> Set 'failure=false' in this case to avoid the access, all data
> was already freed anyway.
> 
> Cc: stable@...r.kernel.org
> Reported-by: Stefan Agner <stefan@...er.ch>
> Reported-by: Wolfgang Walter <linux@...m.de>
> Reported-by: Jason Self <jason@...ehome.net>
> Reported-by: Dominik Behr <dominik@...inikbehr.com>
> Reported-by: Marek Marczykowski-Górecki <marmarek@...isiblethingslab.com>
> Fixes: ab07506b0454 ("iwlwifi: fix leaks/bad data after failed firmware load")
> Signed-off-by: Johannes Berg <johannes.berg@...el.com>
> Signed-off-by: Kalle Valo <kvalo@...nel.org>
> Link: https://lore.kernel.org/r/20220208114728.e6b514cf4c85.Iffb575ca2a623d7859b542c33b2a507d01554251@changeid
> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>

Great to see that you quickly picked up this patch. Once the new stable
and longterm releases are out on Wednesday, it will fix a regression
that made it into many stable and longterm kernels nearly four weeks
earlier. I tracked the issue, which made me we wonder: should I have
done something differently in this case to get the regression resolved
more quickly? Should I maybe have suggested to remove the culprit
temporarily until the fix was merged to mainline?

For context, this is the story of the regression afaics: the change
ab07506b0454 ("iwlwifi: fix leaks/bad data after failed firmware load")
was merged for 5.17-rc1 (released on 2022-01-23). Shortly after it was
backported to several stable/longterm series with new versions released
on 2022-01-27. It triggered a general protection fault, if the proper
firmware file was missing. Afaics at least five people reported the
problem between 2022-02-01 and 2022-02-11 for at least 5.10.y, 5.15.y
and 5.16.y (some of those reports were on the stable list), which shows
that such a setup is not that unusual. A fix was posted on 2022-02-08
and approved and committed by a maintainer on 2022-02-10. It was then
merged to mainline on 2022-02-17 (I hope we can find ways to reduce such
particular timeframes in the future, but that's a different story). Now
that rc5 is out the fix is on track for integration into new stable and
longterm releases due soon -- in the end about four weeks after the
regression was introduced and a bit more than three after it was
reported to the stable list.

Ciao, Thorsten

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ