lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20200330.114539.1547226893911280155.davem@davemloft.net>
Date:   Mon, 30 Mar 2020 11:45:39 -0700 (PDT)
From:   David Miller <davem@...emloft.net>
To:     ybason@...vell.com
Cc:     netdev@...r.kernel.org, mkalderon@...vell.com
Subject: Re: [PATCH net-next] qed: Fix use after free in qed_chain_free

From: Yuval Basson <ybason@...vell.com>
Date: Sun, 29 Mar 2020 20:32:49 +0300

> The qed_chain data structure was modified in
> commit 1a4a69751f4d ("qed: Chain support for external PBL") to support
> receiving an external pbl (due to iWARP FW requirements).
> The pages pointed to by the pbl are allocated in qed_chain_alloc
> and their virtual address are stored in an virtual addresses array to
> enable accessing and freeing the data. The physical addresses however
> weren't stored and were accessed directly from the external-pbl
> during free.
> 
> Destroy-qp flow, leads to freeing the external pbl before the chain is
> freed, when the chain is freed it tries accessing the already freed
> external pbl, leading to a use-after-free. Therefore we need to store
> the physical addresses in additional to the virtual addresses in a
> new data structure.
> 
> Fixes: 1a4a69751f4d ("qed: Chain support for external PBL")
> Signed-off-by: Michal Kalderon <mkalderon@...vell.com>
> Signed-off-by: Yuval Bason <ybason@...vell.com>

Applied.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ