| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 2 Feb 2024 02:15:48 -0700
From: William Kucharski <william.kucharski@...cle.com>
To: Bart Van Assche <bvanassche@....org>, Jason Gunthorpe <jgg@...pe.ca>,
Leon Romanovsky <leon@...nel.org>, linux-rdma@...r.kernel.org,
target-devel@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: William Kucharski <william.kucharski@...cle.com>
Subject: [PATCH v2 0/1] RDMA/srpt: Do not register event handler until srpt device is fully setup
Upon occasion, KASAN testing would report a use-after-free Write in
srpt_refresh_port().
In the course of trying to diagnose this, I noticed that the code in
srpt_add_one() registers an event handler for the srpt device and then
initializes the ports on the device. If any portion of the
device port initialization fails, it removes the registration for the
event handler in the error leg.
This felt like a race condition, where an event handler was registered
before the device ports were fully initialized.
While I can't definitively say this was the issue - this change may just
modify timing to mask the real issue - when modified to not register
the event handler until all of the device ports are intialized,
the issue no longer reproduces in KASAN.
Changelog:
v2:
* Added Fixes tag
William Kucharski (1):
RDMA/srpt: Do not register event handler until srpt device is fully setup
drivers/infiniband/ulp/srpt/ib_srpt.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--
2.39.3
Upon occasion, KASAN testing would report a use-after-free Write in
srpt_refresh_port().
In the course of trying to diagnose this, I noticed that the code in
srpt_add_one() registers an event handler for the srpt device and then
initializes the ports on the device. If any portion of the
device port initialization fails, it removes the registration for the
event handler in the error leg.
This felt like a race condition, where an event handler was registered
before the device ports were fully initialized.
While I can't definitively say this was the issue - this change may just
modify timing to mask the real issue - when modified to not register
the event handler until all of the device ports are intialized,
the issue no longer reproduces in KASAN.
I'm submitting this patch if only so those better acquainted with
the details of this procedure can analyze whether this was an actual
issue or just intellectual uncomfortableness with the code.
William Kucharski (1):
Upon rare occasions, KASAN reports a use-after-free Write in srpt_refresh_port().
drivers/infiniband/ulp/srpt/ib_srpt.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--
2.43.0
Powered by blists - more mailing lists