lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 6 Dec 2023 16:43:09 +0000
From:   Suman Ghosh <sumang@...vell.com>
To:     Dinghao Liu <dinghao.liu@....edu.cn>
CC:     Ariel Elior <aelior@...vell.com>,
        Manish Chopra <manishc@...vell.com>,
        "David S. Miller" <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>,
        Yuval Mintz <Yuval.Mintz@...gic.com>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [EXT] [PATCH] qed: Fix a potential double-free in
 qed_cxt_tables_alloc

>qed_ilt_shadow_alloc() will call qed_ilt_shadow_free() to free p_hwfn-
>>p_cxt_mngr->ilt_shadow on error. However,
>qed_cxt_tables_alloc() frees this pointer again on failure of
>qed_ilt_shadow_alloc() through calling qed_cxt_mngr_free(), which may
>lead to double-free. Fix this issue by setting p_hwfn->p_cxt_mngr-
>>ilt_shadow to NULL in qed_ilt_shadow_free().
>
>Fixes: fe56b9e6a8d9 ("qed: Add module with basic common support")
>Signed-off-by: Dinghao Liu <dinghao.liu@....edu.cn>
>---
> drivers/net/ethernet/qlogic/qed/qed_cxt.c | 1 +
> 1 file changed, 1 insertion(+)
>
>diff --git a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
>b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
>index 65e20693c549..26e247517394 100644
>--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
>+++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
>@@ -933,6 +933,7 @@ static void qed_ilt_shadow_free(struct qed_hwfn
>*p_hwfn)
> 		p_dma->virt_addr = NULL;
> 	}
> 	kfree(p_mngr->ilt_shadow);
>+	p_hwfn->p_cxt_mngr->ilt_shadow = NULL;
[Suman] Hi Dinghao,

I am not sure how this will help prevent the double free here? If qed_ilt_shadow_alloc() fails to allocate memory, then still qed_cxt_mngr_free() will be called and kfree()
will try to free the NULL pointer. Shouldn't it be like below?

if (p_mngr->ilt_shadow)
	Kfree(p_mngr->ilt_shadow);
> }
>
> static int qed_ilt_blk_alloc(struct qed_hwfn *p_hwfn,
>--
>2.17.1
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ