lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 28 Sep 2020 10:43:01 +0300
From:   Leon Romanovsky <leon@...nel.org>
To:     Alex Dewar <alex.dewar90@...il.com>
Cc:     Saeed Mahameed <saeedm@...dia.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Roi Dayan <roid@...lanox.com>, Oz Shlomo <ozsh@...lanox.com>,
        Paul Blakey <paulb@...lanox.com>,
        Ariel Levkovich <lariel@...dia.com>,
        Eli Britstein <elibr@...lanox.com>, netdev@...r.kernel.org,
        linux-rdma@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 3/3] net/mlx5e: Fix use of freed pointer

On Sun, Sep 27, 2020 at 12:32:53PM +0100, Alex Dewar wrote:
> If the call to mlx5_fc_create() fails, then shared_counter will be freed
> before its member, shared_counter->counter, is accessed to retrieve the
> error code. Fix by using an intermediate variable.
>
> Addresses-Coverity: CID 1497153: Memory - illegal accesses (USE_AFTER_FREE)
> Signed-off-by: Alex Dewar <alex.dewar90@...il.com>
> ---

Please add Fixes line.

>  drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
> index b5f8ed30047b..5851a1dfe6e4 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
> @@ -738,6 +738,7 @@ mlx5_tc_ct_shared_counter_get(struct mlx5_tc_ct_priv *ct_priv,
>  	struct mlx5_ct_shared_counter *shared_counter;
>  	struct mlx5_core_dev *dev = ct_priv->dev;
>  	struct mlx5_ct_entry *rev_entry;
> +	struct mlx5_fc *counter;
>  	__be16 tmp_port;
>
>  	/* get the reversed tuple */
> @@ -775,12 +776,13 @@ mlx5_tc_ct_shared_counter_get(struct mlx5_tc_ct_priv *ct_priv,
>  	if (!shared_counter)
>  		return ERR_PTR(-ENOMEM);
>
> -	shared_counter->counter = mlx5_fc_create(dev, true);
> -	if (IS_ERR(shared_counter->counter)) {
> +	counter = mlx5_fc_create(dev, true);
> +	if (IS_ERR(counter)) {
>  		ct_dbg("Failed to create counter for ct entry");
>  		kfree(shared_counter);
> -		return ERR_PTR(PTR_ERR(shared_counter->counter));
> +		return (struct mlx5_ct_shared_counter *)counter;

return ERR_CAST(counter);


>  	}
> +	shared_counter->counter = counter;
>
>  	refcount_set(&shared_counter->refcount, 1);
>  	return shared_counter;
> --
> 2.28.0
>

Powered by blists - more mailing lists