lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 17 Oct 2018 22:27:28 -0700 (PDT)
From:   David Miller <davem@...emloft.net>
To:     idosch@...lanox.com
Cc:     netdev@...r.kernel.org, jiri@...lanox.com, petrm@...lanox.com,
        alexpe@...lanox.com, mlxsw@...lanox.com
Subject: Re: [PATCH net] mlxsw: core: Fix use-after-free when flashing
 firmware during init

From: Ido Schimmel <idosch@...lanox.com>
Date: Wed, 17 Oct 2018 08:05:45 +0000

> When the switch driver (e.g., mlxsw_spectrum) determines it needs to
> flash a new firmware version it resets the ASIC after the flashing
> process. The bus driver (e.g., mlxsw_pci) then registers itself again
> with mlxsw_core which means (among other things) that the device
> registers itself again with the hwmon subsystem again.
> 
> Since the device was registered with the hwmon subsystem using
> devm_hwmon_device_register_with_groups(), then the old hwmon device
> (registered before the flashing) was never unregistered and was
> referencing stale data, resulting in a use-after free.
> 
> Fix by removing reliance on device managed APIs in mlxsw_hwmon_init().
> 
> Fixes: c86d62cc410c ("mlxsw: spectrum: Reset FW after flash")
> Signed-off-by: Ido Schimmel <idosch@...lanox.com>
> Reported-by: Alexander Petrovskiy <alexpe@...lanox.com>
> Tested-by: Alexander Petrovskiy <alexpe@...lanox.com>
> Reviewed-by: Petr Machata <petrm@...lanox.com>

Applied.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ