lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Y6NTGjcM8aUE0M5w@localhost.localdomain>
Date:   Wed, 21 Dec 2022 19:40:26 +0100
From:   Michal Swiatkowski <michal.swiatkowski@...ux.intel.com>
To:     Daniil Tatianin <d-tatianin@...dex-team.ru>
Cc:     Shahed Shaikh <shshaikh@...vell.com>,
        Manish Chopra <manishc@...vell.com>,
        GR-Linux-NIC-Dev@...vell.com,
        "David S. Miller" <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v1] qlcnic: prevent ->dcb use-after-free on
 qlcnic_dcb_enable() failure

On Wed, Dec 21, 2022 at 10:47:29AM +0300, Daniil Tatianin wrote:
> On 12/20/22 4:32 PM, Michal Swiatkowski wrote:
> > On Tue, Dec 20, 2022 at 03:56:49PM +0300, Daniil Tatianin wrote:
> > > adapter->dcb would get silently freed inside qlcnic_dcb_enable() in
> > > case qlcnic_dcb_attach() would return an error, which always happens
> > > under OOM conditions. This would lead to use-after-free because both
> > > of the existing callers invoke qlcnic_dcb_get_info() on the obtained
> > > pointer, which is potentially freed at that point.
> > > 
> > > Propagate errors from qlcnic_dcb_enable(), and instead free the dcb
> > > pointer at callsite.
> > > 
> > > Found by Linux Verification Center (linuxtesting.org) with the SVACE
> > > static analysis tool.
> > > 
> > > Signed-off-by: Daniil Tatianin <d-tatianin@...dex-team.ru>
> > 
> > Please add Fix tag and net as target (net-next is close till the end of
> > this year)
> > 
> Sorry, I'll include a fixes tag.
> Could you please explain what I would have to do to add net as target?

Sorry, maybe it was bad wording. I meant to have PATCH net v2 in title.
For example by adding to git format-patch:
--subject-prefix="PATCH net v2"

> > > ---
> > >   drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 9 ++++++++-
> > >   drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.h       | 5 ++---
> > >   drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c      | 9 ++++++++-
> > >   3 files changed, 18 insertions(+), 5 deletions(-)
> > > 
> > > diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
> > > index dbb800769cb6..465f149d94d4 100644
> > > --- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
> > > +++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
> > > @@ -2505,7 +2505,14 @@ int qlcnic_83xx_init(struct qlcnic_adapter *adapter)
> > >   		goto disable_mbx_intr;
> > >   	qlcnic_83xx_clear_function_resources(adapter);
> > > -	qlcnic_dcb_enable(adapter->dcb);
> > > +
> > > +	err = qlcnic_dcb_enable(adapter->dcb);
> > > +	if (err) {
> > > +		qlcnic_clear_dcb_ops(adapter->dcb);
> > > +		adapter->dcb = NULL;
> > > +		goto disable_mbx_intr;
> > > +	}
> > 
> > Maybe I miss sth but it looks like there can be memory leak.
> > For example if error in attach happen after allocating of dcb->cfg.
> > Isn't it better to call qlcnic_dcb_free instead of qlcnic_clear_dcb_ops?
> I think you're right, if attach fails midway then we might leak cfg or
> something else.
> I'll use qlcnic_dcb_free() instead and completely remove
> qlcnic_clear_dcb_ops() as it
> seems to be unused and relies on dcb being in a very specific state.

Great, thanks

[...]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ