lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Wed, 6 May 2020 04:14:49 +0000
From:   Po Liu <po.liu@....com>
To:     Dan Carpenter <dan.carpenter@...cle.com>,
        Claudiu Manoil <claudiu.manoil@....com>
CC:     "David S. Miller" <davem@...emloft.net>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "kernel-janitors@...r.kernel.org" <kernel-janitors@...r.kernel.org>
Subject: RE:  [PATCH net-next] enetc: Fix use after free in
 stream_filter_unref()

Hi Dan,


> -----Original Message-----
> From: Dan Carpenter <dan.carpenter@...cle.com>
> Sent: 2020年5月6日 4:47
> To: Claudiu Manoil <claudiu.manoil@....com>; Po Liu <po.liu@....com>
> Cc: David S. Miller <davem@...emloft.net>; netdev@...r.kernel.org;
> kernel-janitors@...r.kernel.org
> Subject: [PATCH net-next] enetc: Fix use after free in
> stream_filter_unref()
> 
> 
> This code frees "sfi" and then dereferences it on the next line.
> 
> Fixes: 888ae5a3952b ("net: enetc: add tc flower psfp offload driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
> ---
>  drivers/net/ethernet/freescale/enetc/enetc_qos.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ethernet/freescale/enetc/enetc_qos.c
> b/drivers/net/ethernet/freescale/enetc/enetc_qos.c
> index 48e589e9d0f7c..10d79eb46c2e8 100644
> --- a/drivers/net/ethernet/freescale/enetc/enetc_qos.c
> +++ b/drivers/net/ethernet/freescale/enetc/enetc_qos.c
> @@ -902,8 +902,8 @@ static void stream_filter_unref(struct
> enetc_ndev_priv *priv, u32 index)
>         if (z) {
>                 enetc_streamfilter_hw_set(priv, sfi, false);
>                 hlist_del(&sfi->node);
> -               kfree(sfi);
>                 clear_bit(sfi->index, epsfp.psfp_sfi_bitmap);

This "sfi->index" should be "index", but the patch is also fix it.

> +               kfree(sfi);
>         }
>  }
> 
> --
> 2.26.2

Thanks a lot.

Br,
Po Liu

Powered by blists - more mailing lists