lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20241102-epc_rfc-v1-1-5026322df5bc@quicinc.com>
Date: Sat, 02 Nov 2024 22:26:14 +0800
From: Zijun Hu <zijun_hu@...oud.com>
To: Manivannan Sadhasivam <manivannan.sadhasivam@...aro.org>, 
 Krzysztof Wilczyński <kw@...ux.com>, 
 Kishon Vijay Abraham I <kishon@...nel.org>, 
 Bjorn Helgaas <bhelgaas@...gle.com>, Frank Li <Frank.Li@....com>, 
 Lorenzo Pieralisi <lpieralisi@...nel.org>
Cc: Zijun Hu <zijun_hu@...oud.com>, 
 Krzysztof Wilczyński <kwilczynski@...nel.org>, 
 linux-pci@...r.kernel.org, linux-kernel@...r.kernel.org, 
 Zijun Hu <quic_zijuhu@...cinc.com>, stable@...r.kernel.org
Subject: [PATCH RFC 1/2] PCI: endpoint: Fix API pci_epc_destroy() releasing
 domain_nr ID faults

From: Zijun Hu <quic_zijuhu@...cinc.com>

pci_epc_destroy() invokes pci_bus_release_domain_nr() to release domain_nr
ID, but the invocation has below 2 faults:

- The later accesses device @epc->dev which has been kfree()ed by previous
  device_unregister(), namely, it is a UAF issue.

- The later frees the domain_nr ID into @epc->dev, but the ID is actually
  allocated from @epc->dev.parent, so it will destroy domain_nr IDA.

Fix by freeing the ID to @epc->dev.parent before unregistering @epc->dev.

Fixes: 0328947c5032 ("PCI: endpoint: Assign PCI domain number for endpoint controllers")
Cc: stable@...r.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@...cinc.com>
---
 drivers/pci/endpoint/pci-epc-core.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/pci/endpoint/pci-epc-core.c b/drivers/pci/endpoint/pci-epc-core.c
index 17f007109255..bcc9bc3d6df5 100644
--- a/drivers/pci/endpoint/pci-epc-core.c
+++ b/drivers/pci/endpoint/pci-epc-core.c
@@ -837,11 +837,10 @@ EXPORT_SYMBOL_GPL(pci_epc_bus_master_enable_notify);
 void pci_epc_destroy(struct pci_epc *epc)
 {
 	pci_ep_cfs_remove_epc_group(epc->group);
-	device_unregister(&epc->dev);
-
 #ifdef CONFIG_PCI_DOMAINS_GENERIC
-	pci_bus_release_domain_nr(&epc->dev, epc->domain_nr);
+	pci_bus_release_domain_nr(epc->dev.parent, epc->domain_nr);
 #endif
+	device_unregister(&epc->dev);
 }
 EXPORT_SYMBOL_GPL(pci_epc_destroy);
 

-- 
2.34.1


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ