| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Yy7+BCQnGaQiNlyF@kroah.com>
Date: Sat, 24 Sep 2022 14:54:28 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: Zheng Wang <zyytlz.wz@....com>
Cc: dimitri.sivanich@....com, arnd@...db.de,
linux-kernel@...r.kernel.org, hackerzheng666@...il.com,
alex000young@...il.com, security@...nel.org
Subject: Re: [PATCH] misc: sgi-gru: fix use-after-free error in
gru_set_context_option, gru_fault and gru_handle_user_call_os
On Mon, Sep 19, 2022 at 10:32:05PM +0800, Zheng Wang wrote:
> In grufile.c, gru_file_unlocked_ioctl function can be called by user.
>
> If the req is GRU_SET_CONTEXT_OPTION, it will call gru_set_context_option.
>
> In gru_set_context_option, as req can be controlled by user,
>
> We can reach gru_check_context_placement function call.
>
> In gru_check_context_placement function, if the error path was steped,
>
> say gru_check_chiplet_assignment return 0,
>
> Then it will fall into gru_unload_context function.
>
> And it will finnaly call kfree gts in gts_drop function.
>
> Then gru_unlock_gts will be called in gru_set_context_option function.
>
> This is a typical Use after free.
>
> The same problem exists in gru_handle_user_call_os and gru_fault.
>
> Fix it by introduce the return value to see if gts is in good case or not.
>
> Free the gts in caller when gru_check_chiplet_assignment check failed.
Your text formatting is a bit odd, don't you think?
>
> Reported-by: Zheng Wang <hackerzheng666@...il.com> Zhuorao Yang <alex000young@...il.com>
Why twice?
Should be two different reported-by lines, right?
Otherwise looks good, can you fix that up and resend?
thanks,
greg k-h
Powered by blists - more mailing lists