| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20181017.222728.1239752924086172945.davem@davemloft.net>
Date: Wed, 17 Oct 2018 22:27:28 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: idosch@...lanox.com
Cc: netdev@...r.kernel.org, jiri@...lanox.com, petrm@...lanox.com,
alexpe@...lanox.com, mlxsw@...lanox.com
Subject: Re: [PATCH net] mlxsw: core: Fix use-after-free when flashing
firmware during init
From: Ido Schimmel <idosch@...lanox.com>
Date: Wed, 17 Oct 2018 08:05:45 +0000
> When the switch driver (e.g., mlxsw_spectrum) determines it needs to
> flash a new firmware version it resets the ASIC after the flashing
> process. The bus driver (e.g., mlxsw_pci) then registers itself again
> with mlxsw_core which means (among other things) that the device
> registers itself again with the hwmon subsystem again.
>
> Since the device was registered with the hwmon subsystem using
> devm_hwmon_device_register_with_groups(), then the old hwmon device
> (registered before the flashing) was never unregistered and was
> referencing stale data, resulting in a use-after free.
>
> Fix by removing reliance on device managed APIs in mlxsw_hwmon_init().
>
> Fixes: c86d62cc410c ("mlxsw: spectrum: Reset FW after flash")
> Signed-off-by: Ido Schimmel <idosch@...lanox.com>
> Reported-by: Alexander Petrovskiy <alexpe@...lanox.com>
> Tested-by: Alexander Petrovskiy <alexpe@...lanox.com>
> Reviewed-by: Petr Machata <petrm@...lanox.com>
Applied.
Powered by blists - more mailing lists