| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20211013180111.611dac91@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
Date: Wed, 13 Oct 2021 18:01:11 -0700
From: Jakub Kicinski <kuba@...nel.org>
To: Lin Ma <linma@....edu.cn>
Cc: linux-nfc@...ts.01.org, krzysztof.kozlowski@...onical.com,
davem@...emloft.net, bongsu.jeon@...sung.com,
netdev@...r.kernel.org
Subject: Re: [PATCH] NFC: NULL out conn_info reference when conn is closed
On Wed, 13 Oct 2021 12:30:52 +0800 Lin Ma wrote:
> The nci_core_conn_close_rsp_packet() function will release the conn_info
> with given conn_id. However, this reference of this object may still held
> by other places like ndev->rf_conn_info in routine:
> .. -> nci_recv_frame()
> -> nci_rx_work()
> -> nci_rsp_packet()
> -> nci_rf_disc_rsp_packet()
> -> devm_kzalloc()
> ndev->rf_conn_info = conn_info;
>
> or ndev->hci_dev->conn_info in routine:
> .. -> nci_recv_frame()
> -> nci_rx_work()
> -> nci_rsp_packet()
> -> nci_core_conn_create_rsp_packet()
> -> devm_kzalloc()
> ndev->hci_dev->conn_info = conn_info;
>
> If these two places are not NULL out, potential UAF can be exploited by
> the attacker when emulating an UART NFC device. This patch compares the
> deallocating object with the two places and writes NULL to prevent that.
>
> Signed-off-by: Lin Ma <linma@....edu.cn>
This doesn't apply, looks like we already have half of this patch in
the networking fixes tree:
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=1b1499a817c90fd1ce9453a2c98d2a01cca0e775
Please rebase on top of that and resend. Add a Fixes tag while at it.
Powered by blists - more mailing lists