lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241112070339.ivgjqctoxaf2xqxr@thinkpad>
Date: Tue, 12 Nov 2024 12:33:39 +0530
From: Manivannan Sadhasivam <manivannan.sadhasivam@...aro.org>
To: Zijun Hu <zijun_hu@...oud.com>
Cc: Krzysztof Wilczyński <kw@...ux.com>,
	Kishon Vijay Abraham I <kishon@...nel.org>,
	Bjorn Helgaas <bhelgaas@...gle.com>, Frank Li <Frank.Li@....com>,
	Lorenzo Pieralisi <lpieralisi@...nel.org>,
	Krzysztof Wilczyński <kwilczynski@...nel.org>,
	linux-pci@...r.kernel.org, linux-kernel@...r.kernel.org,
	Zijun Hu <quic_zijuhu@...cinc.com>,
	Jingoo Han <jingoohan1@...il.com>,
	Marek Vasut <marek.vasut+renesas@...il.com>,
	Yoshihiro Shimoda <yoshihiro.shimoda.uh@...esas.com>,
	Shawn Lin <shawn.lin@...k-chips.com>,
	Heiko Stuebner <heiko@...ech.de>, stable@...r.kernel.org
Subject: Re: [PATCH v2 1/2] PCI: endpoint: Fix API pci_epc_destroy()
 releasing domain_nr ID faults

On Thu, Nov 07, 2024 at 08:53:08AM +0800, Zijun Hu wrote:
> From: Zijun Hu <quic_zijuhu@...cinc.com>
> 
> pci_epc_destroy() invokes pci_bus_release_domain_nr() to release domain_nr
> ID, but the invocation has below 2 faults:
> 
> - The later accesses device @epc->dev which has been kfree()ed by previous
>   device_unregister(), namely, it is a UAF issue.
> 
> - The later frees the domain_nr ID into @epc->dev, but the ID is actually
>   allocated from @epc->dev.parent, so it will destroy domain_nr IDA.
> 
> Fix by freeing the ID to @epc->dev.parent before unregistering @epc->dev.
> 
> The file(s) affected are shown below since they indirectly use the API.
> drivers/pci/controller/cadence/pcie-cadence-ep.c
> drivers/pci/controller/dwc/pcie-designware-ep.c
> drivers/pci/controller/pcie-rockchip-ep.c
> drivers/pci/controller/pcie-rcar-ep.c

No need to mention the callers.

> 
> Fixes: 0328947c5032 ("PCI: endpoint: Assign PCI domain number for endpoint controllers")
> Cc: Lorenzo Pieralisi <lpieralisi@...nel.org>
> Cc: Jingoo Han <jingoohan1@...il.com>
> Cc: Marek Vasut <marek.vasut+renesas@...il.com>
> Cc: Yoshihiro Shimoda <yoshihiro.shimoda.uh@...esas.com>
> Cc: Shawn Lin <shawn.lin@...k-chips.com>
> Cc: Heiko Stuebner <heiko@...ech.de>
> Cc: stable@...r.kernel.org
> Signed-off-by: Zijun Hu <quic_zijuhu@...cinc.com>

Good catch! (not sure how I messed up in first place).

Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@...aro.org>

- Mani

> ---
>  drivers/pci/endpoint/pci-epc-core.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/pci/endpoint/pci-epc-core.c b/drivers/pci/endpoint/pci-epc-core.c
> index 17f007109255..bcc9bc3d6df5 100644
> --- a/drivers/pci/endpoint/pci-epc-core.c
> +++ b/drivers/pci/endpoint/pci-epc-core.c
> @@ -837,11 +837,10 @@ EXPORT_SYMBOL_GPL(pci_epc_bus_master_enable_notify);
>  void pci_epc_destroy(struct pci_epc *epc)
>  {
>  	pci_ep_cfs_remove_epc_group(epc->group);
> -	device_unregister(&epc->dev);
> -
>  #ifdef CONFIG_PCI_DOMAINS_GENERIC
> -	pci_bus_release_domain_nr(&epc->dev, epc->domain_nr);
> +	pci_bus_release_domain_nr(epc->dev.parent, epc->domain_nr);
>  #endif
> +	device_unregister(&epc->dev);
>  }
>  EXPORT_SYMBOL_GPL(pci_epc_destroy);
>  
> 
> -- 
> 2.34.1
> 

-- 
மணிவண்ணன் சதாசிவம்

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ