lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20260127-ipmi-v1-0-ba5cc90f516f@debian.org>
Date: Tue, 27 Jan 2026 01:57:58 -0800
From: Breno Leitao <leitao@...ian.org>
To: Corey Minyard <corey@...yard.net>, 
 Nathan Chancellor <nathan@...nel.org>, 
 Nick Desaulniers <nick.desaulniers+lkml@...il.com>, 
 Bill Wendling <morbo@...gle.com>, Justin Stitt <justinstitt@...gle.com>
Cc: openipmi-developer@...ts.sourceforge.net, linux-kernel@...r.kernel.org, 
 llvm@...ts.linux.dev, Breno Leitao <leitao@...ian.org>, 
 kernel-team@...a.com
Subject: [PATCH] ipmi: fix NULL pointer on smi_work

I am getting the following crash on IPMI on linus' upstream. It tries to
double-add the same element to a list, and then get
a slab-use-after-free in handle_one_recv_msg.

Here is the decoded stack against commit cf38b2340c0e ("Merge tag
'soc-fixes-6.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc")

	list_add double add: new=ffff888145b19000, prev=ffff888145b19000, next=ffff88810bb6d480.
	  WARNING: lib/list_debug.c:37 at __list_add_valid_or_report+0x10a/0x130, CPU#64: 0/408
	  Workqueue: events smi_work [ipmi_msghandler]
	  RIP: 0010:__list_add_valid_or_report (rw/compile/lib/list_debug.c:35)

	  deliver_response (rw/compile/./include/linux/list.h:158 rw/compile/./include/linux/list.h:191 rw/compile/drivers/char/ipmi/ipmi_msghandler.c:974) ipmi_msghandler
	  smi_work (rw/compile/drivers/char/ipmi/ipmi_msghandler.c:985 rw/compile/drivers/char/ipmi/ipmi_msghandler.c:999 rw/compile/drivers/char/ipmi/ipmi_msghandler.c:4853) ipmi_msghandler
	  ? process_scheduled_works (rw/compile/kernel/workqueue.c:3233 rw/compile/kernel/workqueue.c:3340)
	  process_scheduled_works (rw/compile/kernel/workqueue.c:? rw/compile/kernel/workqueue.c:3340)
	  worker_thread (rw/compile/./include/linux/list.h:381 rw/compile/kernel/workqueue.c:946 rw/compile/kernel/workqueue.c:3422)
	  kthread (rw/compile/kernel/kthread.c:465)
	  ? pr_cont_work (rw/compile/kernel/workqueue.c:3367)
	  ? kthread_blkcg (rw/compile/kernel/kthread.c:412)
	  ret_from_fork (rw/compile/arch/x86/kernel/process.c:164)
	  ? kthread_blkcg (rw/compile/kernel/kthread.c:412)
	  ret_from_fork_asm (rw/compile/arch/x86/entry/entry_64.S:256)

	list_add double add: new=ffff888145b19000, prev=ffff888145b19000, next=ffff88810bb6d480.
	  WARNING: lib/list_debug.c:37 at __list_add_valid_or_report+0x10a/0x130, CPU#64: 0/408
	  <double add hit again same stack>

	BUG: KASAN: slab-use-after-free in handle_one_recv_msg (rw/compile/drivers/char/ipmi/ipmi_msghandler.c:? rw/compile/drivers/char/ipmi/ipmi_msghandler.c:4761) ipmi_msghandler
	  T473136] Write of size 4 at addr ffff888145b19010 by task kworker/30:3/473136
	  handle_new_recv_msgs (rw/compile/drivers/char/ipmi/ipmi_msghandler.c:4788) ipmi_msghandler
	  ? get_smi_info (rw/compile/drivers/char/ipmi/ipmi_si_intf.c:918) ipmi_si
	  smi_work (rw/compile/drivers/char/ipmi/ipmi_msghandler.c:?) ipmi_msghandler
	  ? process_scheduled_works (rw/compile/kernel/workqueue.c:3233 rw/compile/kernel/workqueue.c:3340)
	  process_scheduled_works (rw/compile/kernel/workqueue.c:? rw/compile/kernel/workqueue.c:3340)
	  worker_thread (rw/compile/./include/linux/list.h:381 rw/compile/kernel/workqueue.c:946 rw/compile/kernel/workqueue.c:3422)
	  kthread (rw/compile/kernel/kthread.c:465)
	  ? rcu_is_watching (rw/compile/./include/linux/context_tracking.h:128 rw/compile/kernel/rcu/tree.c:751)
	  ? pr_cont_work (rw/compile/kernel/workqueue.c:3367)
	  ? kthread_blkcg (rw/compile/kernel/kthread.c:412)
	  ret_from_fork (rw/compile/arch/x86/kernel/process.c:164)
	  ? kthread_blkcg (rw/compile/kernel/kthread.c:412)
	  ret_from_fork_asm (rw/compile/arch/x86/entry/entry_64.S:256)

	Allocated by task 6379:
	  kasan_save_track (rw/compile/mm/kasan/common.c:58 rw/compile/mm/kasan/common.c:78)
	  __kasan_kmalloc (rw/compile/mm/kasan/common.c:419)
	  __kmalloc_cache_noprof (rw/compile/mm/slub.c:5781)
	  kernfs_fop_open.llvm.1481521202032378051 (rw/compile/./include/linux/slab.h:957 rw/compile/./include/linux/slab.h:1094 rw/compile/fs/kernfs/file.c:641)
	  do_dentry_open (rw/compile/fs/open.c:963)
	  vfs_open (rw/compile/fs/open.c:1095)
	  path_openat (rw/compile/fs/namei.c:4638 rw/compile/fs/namei.c:4796)
	  do_filp_open (rw/compile/fs/namei.c:4823)
	  do_sys_openat2 (rw/compile/./include/linux/err.h:78 rw/compile/./include/linux/file.h:177 rw/compile/fs/open.c:1430)
	  __x64_sys_openat (rw/compile/fs/open.c:1447)
	  do_syscall_64 (rw/compile/arch/x86/entry/syscall_64.c:?)
	  entry_SYSCALL_64_after_hwframe (rw/compile/arch/x86/entry/entry_64.S:131)

	Freed by task 6379:
	  kasan_save_track (rw/compile/mm/kasan/common.c:58 rw/compile/mm/kasan/common.c:78)
	  kasan_save_free_info (rw/compile/mm/kasan/generic.c:587)
	  __kasan_slab_free (rw/compile/mm/kasan/common.c:287)
	  kfree (rw/compile/mm/slub.c:6674 rw/compile/mm/slub.c:6882)
	  kernfs_fop_release.llvm.1481521202032378051 (rw/compile/fs/kernfs/file.c:788)
	  __fput (rw/compile/fs/file_table.c:469)
	  fput_close_sync (rw/compile/fs/file_table.c:574)
	  __x64_sys_close (rw/compile/fs/open.c:1575 rw/compile/fs/open.c:1558 rw/compile/fs/open.c:1558)
	  do_syscall_64 (rw/compile/arch/x86/entry/syscall_64.c:?)
	  entry_SYSCALL_64_after_hwframe (rw/compile/arch/x86/entry/entry_64.S:131)

	  BUG: kernel NULL pointer dereference, address: 0000000000000000
	  #PF: supervisor instruction fetch in kernel mode
	  #PF: error_code(0x0010) - not-present page
	  PGD 1d14bb067 P4D 1d14bb067 PUD 67c50d067 PMD 0
	  Oops: Oops: 0010 [#1] SMP DEBUG_PAGEALLOC KASAN
	  Hardware name: Quanta North Dome MP/North Dome MP, BIOS F09C_3B14.sign 04/12/2023
	  Workqueue: events smi_work [ipmi_msghandler]

The next patch contains the issue I found and a possible fix.

Signed-off-by: Breno Leitao <leitao@...ian.org>
---
Breno Leitao (1):
      ipmi: Fix use-after-free and list corruption on sender error

 drivers/char/ipmi/ipmi_msghandler.c | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)
---
base-commit: cf38b2340c0e60ef695b7137440a4d187ed49c88
change-id: 20260127-ipmi-03bae4a027bd

Best regards,
--  
Breno Leitao <leitao@...ian.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ