lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20240829-fix_use_after_free-v1-1-1507e307507f@microchip.com>
Date: Thu, 29 Aug 2024 11:52:54 +0200
From: Jens Emil Schulz Østergaard
	<jensemil.schulzostergaard@...rochip.com>
To: Lars Povlsen <lars.povlsen@...rochip.com>, Steen Hegelund
	<Steen.Hegelund@...rochip.com>, Daniel Machon <daniel.machon@...rochip.com>,
	<UNGLinuxDriver@...rochip.com>, "David S. Miller" <davem@...emloft.net>,
	"Eric Dumazet" <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo
 Abeni <pabeni@...hat.com>
CC: Steen Hegelund <steen.hegelund@...rochip.com>, Dan Carpenter
	<error27@...il.com>, <linux-arm-kernel@...ts.infradead.org>,
	<netdev@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
	Jens Emil Schulz Østergaard
	<jensemil.schulzostergaard@...rochip.com>
Subject: [PATCH net] net: microchip: vcap: Fix use-after-free error in
 kunit test

This is a clear use-after-free error. We remove it, and rely on checking
the return code of vcap_del_rule.

Reported-by: Dan Carpenter <error27@...il.com>
Closes: https://lore.kernel.org/kernel-janitors/7bffefc6-219a-4f71-baa0-ad4526e5c198@kili.mountain/
Fixes: c956b9b318d9 ("net: microchip: sparx5: Adding KUNIT tests of key/action values in VCAP API")
Signed-off-by: Jens Emil Schulz Østergaard <jensemil.schulzostergaard@...rochip.com>
---
 drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c b/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c
index 51d9423b08a6..f2a5a36fdacd 100644
--- a/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c
+++ b/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c
@@ -1442,18 +1442,8 @@ static void vcap_api_encode_rule_test(struct kunit *test)
 	vcap_enable_lookups(&test_vctrl, &test_netdev, 0, 0,
 			    rule->cookie, false);
 
-	vcap_free_rule(rule);
-
-	/* Check that the rule has been freed: tricky to access since this
-	 * memory should not be accessible anymore
-	 */
-	KUNIT_EXPECT_PTR_NE(test, NULL, rule);
-	ret = list_empty(&rule->keyfields);
-	KUNIT_EXPECT_EQ(test, true, ret);
-	ret = list_empty(&rule->actionfields);
-	KUNIT_EXPECT_EQ(test, true, ret);
-
-	vcap_del_rule(&test_vctrl, &test_netdev, id);
+	ret = vcap_del_rule(&test_vctrl, &test_netdev, id);
+	KUNIT_EXPECT_EQ(test, 0, ret);
 }
 
 static void vcap_api_set_rule_counter_test(struct kunit *test)

---
base-commit: 4186c8d9e6af57bab0687b299df10ebd47534a0a
change-id: 20240826-fix_use_after_free-eb34c0c66129

Best regards,
-- 
Jens Emil Schulz Østergaard <jensemil.schulzostergaard@...rochip.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ