lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250429034007.578-1-xiangwencheng@lanxincomputing.com>
Date: Tue, 29 Apr 2025 11:40:07 +0800
From: "BillXiang" <xiangwencheng@...xincomputing.com>
To: <tjeznach@...osinc.com>
Cc: <joro@...tes.org>, <will@...nel.org>, <robin.murphy@....com>, 
	<paul.walmsley@...ive.com>, <palmer@...belt.com>, 
	<aou@...s.berkeley.edu>, <alex@...ti.fr>, <iommu@...ts.linux.dev>, 
	<linux-riscv@...ts.infradead.org>, <linux-kernel@...r.kernel.org>, 
	<xiangwencheng@...xincomputing.com>
Subject: [PATCH] iommu/riscv: fix use after free of riscv_iommu_domain

The function vfio_group_detach_container begins by calling
vfio_iommu_type1_detach_group, which may subsequently calls
riscv_iommu_free_paging_domain to release the riscv_iommu_domain.
Then, iommu_group_release_dma_owner is triggered, which results in
the execution of riscv_iommu_attach_paging_domain and
riscv_iommu_bond_unlink(info->domain). However, the info->domain
had been freed beforehand but was not set to NULL, leading to errors.

This commit resolves the issue by setting info->domain to NULL within
riscv_iommu_bond_unlink, a function that is called by
riscv_iommu_attach_blocking_domain before the domain was freed.

Signed-off-by: BillXiang <xiangwencheng@...xincomputing.com>
---
 drivers/iommu/riscv/iommu.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/drivers/iommu/riscv/iommu.c b/drivers/iommu/riscv/iommu.c
index bb57092ca901..f9e127978ac7 100644
--- a/drivers/iommu/riscv/iommu.c
+++ b/drivers/iommu/riscv/iommu.c
@@ -880,6 +880,7 @@ static void riscv_iommu_bond_unlink(struct riscv_iommu_domain *domain,
 	struct riscv_iommu_device *iommu = dev_to_iommu(dev);
 	struct riscv_iommu_bond *bond, *found = NULL;
 	struct riscv_iommu_command cmd;
+	struct riscv_iommu_info *info;
 	int count = 0;
 
 	if (!domain)
@@ -894,8 +895,11 @@ static void riscv_iommu_bond_unlink(struct riscv_iommu_domain *domain,
 		else if (dev_to_iommu(bond->dev) == iommu)
 			count++;
 	}
-	if (found)
+	if (found) {
+		info = dev_iommu_priv_get(dev);
+		info->domain = NULL;
 		list_del_rcu(&found->list);
+	}
 	spin_unlock(&domain->lock);
 	kfree_rcu(found, rcu);
 
@@ -1293,8 +1297,16 @@ static void riscv_iommu_free_paging_domain(struct iommu_domain *iommu_domain)
 {
 	struct riscv_iommu_domain *domain = iommu_domain_to_riscv(iommu_domain);
 	const unsigned long pfn = virt_to_pfn(domain->pgd_root);
+	struct riscv_iommu_bond *bond;
+	struct riscv_iommu_info *info;
 
 	WARN_ON(!list_empty(&domain->bonds));
+	spin_lock(&domain->lock);
+	list_for_each_entry(bond, &domain->bonds, list) {
+		info = dev_iommu_priv_get(bond->dev);
+		info->domain = NULL;
+	}
+	spin_unlock(&domain->lock);
 
 	if ((int)domain->pscid > 0)
 		ida_free(&riscv_iommu_pscids, domain->pscid);
-- 
2.46.2.windows.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ