| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 Feb 2022 13:00:40 +0100
From: Thorsten Leemhuis <regressions@...mhuis.info>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-kernel@...r.kernel.org
Cc: stable@...r.kernel.org, Stefan Agner <stefan@...er.ch>,
Wolfgang Walter <linux@...m.de>,
Jason Self <jason@...ehome.net>,
Dominik Behr <dominik@...inikbehr.com>,
Marek Marczykowski-Górecki
<marmarek@...isiblethingslab.com>,
Johannes Berg <johannes.berg@...el.com>,
Kalle Valo <kvalo@...nel.org>
Subject: Re: [PATCH 5.16 077/227] iwlwifi: fix use-after-free
Hi, this is your Linux kernel regression tracker.
On 21.02.22 09:48, Greg Kroah-Hartman wrote:
> From: Johannes Berg <johannes.berg@...el.com>
>
> commit bea2662e7818e15d7607d17d57912ac984275d94 upstream.
>
> If no firmware was present at all (or, presumably, all of the
> firmware files failed to parse), we end up unbinding by calling
> device_release_driver(), which calls remove(), which then in
> iwlwifi calls iwl_drv_stop(), freeing the 'drv' struct. However
> the new code I added will still erroneously access it after it
> was freed.
>
> Set 'failure=false' in this case to avoid the access, all data
> was already freed anyway.
>
> Cc: stable@...r.kernel.org
> Reported-by: Stefan Agner <stefan@...er.ch>
> Reported-by: Wolfgang Walter <linux@...m.de>
> Reported-by: Jason Self <jason@...ehome.net>
> Reported-by: Dominik Behr <dominik@...inikbehr.com>
> Reported-by: Marek Marczykowski-Górecki <marmarek@...isiblethingslab.com>
> Fixes: ab07506b0454 ("iwlwifi: fix leaks/bad data after failed firmware load")
> Signed-off-by: Johannes Berg <johannes.berg@...el.com>
> Signed-off-by: Kalle Valo <kvalo@...nel.org>
> Link: https://lore.kernel.org/r/20220208114728.e6b514cf4c85.Iffb575ca2a623d7859b542c33b2a507d01554251@changeid
> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Great to see that you quickly picked up this patch. Once the new stable
and longterm releases are out on Wednesday, it will fix a regression
that made it into many stable and longterm kernels nearly four weeks
earlier. I tracked the issue, which made me we wonder: should I have
done something differently in this case to get the regression resolved
more quickly? Should I maybe have suggested to remove the culprit
temporarily until the fix was merged to mainline?
For context, this is the story of the regression afaics: the change
ab07506b0454 ("iwlwifi: fix leaks/bad data after failed firmware load")
was merged for 5.17-rc1 (released on 2022-01-23). Shortly after it was
backported to several stable/longterm series with new versions released
on 2022-01-27. It triggered a general protection fault, if the proper
firmware file was missing. Afaics at least five people reported the
problem between 2022-02-01 and 2022-02-11 for at least 5.10.y, 5.15.y
and 5.16.y (some of those reports were on the stable list), which shows
that such a setup is not that unusual. A fix was posted on 2022-02-08
and approved and committed by a maintainer on 2022-02-10. It was then
merged to mainline on 2022-02-17 (I hope we can find ways to reduce such
particular timeframes in the future, but that's a different story). Now
that rc5 is out the fix is on track for integration into new stable and
longterm releases due soon -- in the end about four weeks after the
regression was introduced and a bit more than three after it was
reported to the stable list.
Ciao, Thorsten
Powered by blists - more mailing lists