lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 5 Nov 2021 13:37:21 +0000
From:   YE Chengfeng <cyeaa@...nect.ust.hk>
To:     Dan Carpenter <dan.carpenter@...cle.com>
CC:     "krzysztof.kozlowski@...onical.com" 
        <krzysztof.kozlowski@...onical.com>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "wengjianfeng@...ong.com" <wengjianfeng@...ong.com>,
        "kuba@...nel.org" <kuba@...nel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: 回复: nfc: pn533: suspected double free when pn533_fill_fragment_skbs() return value <= 0

Thanks for your advice. I follow it and send a v2 patch, is it correct?

Best regards,
Chengfeng

-----邮件原件-----
发件人: Dan Carpenter <dan.carpenter@...cle.com> 
发送时间: 2021年11月5日 20:17
收件人: YE Chengfeng <cyeaa@...nect.ust.hk>
抄送: krzysztof.kozlowski@...onical.com; davem@...emloft.net; wengjianfeng@...ong.com; kuba@...nel.org; netdev@...r.kernel.org; linux-kernel@...r.kernel.org
主题: Re: nfc: pn533: suspected double free when pn533_fill_fragment_skbs() return value <= 0

On Fri, Nov 05, 2021 at 09:22:12AM +0000, YE Chengfeng wrote:
> Hi,
> 
> We notice that skb is already freed by dev_kfree_skb in 
> pn533_fill_fragment_skbs, but follow error handler branch #line 2288 
> and #line 2356, skb is freed again, seems like a double free issue.
> Would you like to have a look at them?
> 
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> ub.com%2Ftorvalds%2Flinux%2Fblob%2Fmaster%2Fdrivers%2Fnfc%2Fpn533%2Fpn
> 533.c%23L2288&amp;data=04%7C01%7Ccyeaa%40connect.ust.hk%7C29df72d1f8a3
> 4473a15008d9a05642cf%7C6c1d415239d044ca88d9b8d6ddca0708%7C1%7C0%7C6377
> 17114624016520%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2l
> uMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=9nssVI5NtyEUvnH6k
> NP60dqSmtgfWILoKXimcJWIiKc%3D&amp;reserved=0
> 

The code is buggy, yes, but it's a bit tricky to fix.

pn533_fill_fragment_skbs() never returns error codes, it returns zero on error.  Specifically it clears out the &dev->fragment_skb list and then returns the length of the list "skb_queue_len(&dev->fragment_skb)"
which is now zero.

Returning success on transmit failure is fine because the network stack thinks it was lost somewhere in the network and resends it.  But probably it should return -ENOMEM?  But changing the return would make the other caller into a double free now.

So probably the correct fix is to
1) Make pn533_fill_fragment_skbs() return -ENOMEM on error
2) Don't call dev_kfree_skb(skb); on error in pn533_fill_fragment_skbs().
   Only call it on the success path.
3) Change the callers to check for negatives instead of <= 0

> We will provide patch for them after confirmation.

Sounds great.  You can fix it however you want.  My ideas are a suggestion only.

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ