lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20211115080817.GE27562@kadam>
Date:   Mon, 15 Nov 2021 11:08:17 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     Pavel Skripkin <paskripkin@...il.com>
Cc:     ioana.ciornei@....com, davem@...emloft.net, kuba@...nel.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        stable@...r.kernel.org
Subject: Re: [PATCH] net: dpaa2-eth: fix use-after-free in dpaa2_eth_remove

On Sat, Nov 13, 2021 at 08:20:13PM +0300, Pavel Skripkin wrote:
> Access to netdev after free_netdev() will cause use-after-free bug.
> Move debug log before free_netdev() call to avoid it.
> 
> Cc: stable@...r.kernel.org # v4.19+
> Signed-off-by: Pavel Skripkin <paskripkin@...il.com>
> ---
> 
> Note about Fixes: tag. The commit introduced it was before this driver
> was moved out from staging. I guess, Fixes tag cannot be used here.
> Please, let me know if I am wrong.
> 

You should still use the Fixes tag.

> Cc: Dan Carpenter <dan.carpenter@...cle.com>
> 
> @Dan, is there a smatch checker for straigthforward use after free bugs?
> Like acessing pointer after free was called? I think, adding
> free_netdev() to check list might be good idea
> 
> I've skimmed througth smatch source and didn't find one, so can you,
> please, point out to it if it exists.

It's check_free_strict.c.

It does cross function analysis but free_netdev() is tricky because it
doesn't free directly, it just drops the reference count.  Also it
delays freeing in the NETREG_UNREGISTERING path so this check might
cause false positives? I'll add free_netdev() to the list of free
functions and test it overnight tonight.

	register_free_hook("free_netdev", &match_free, 0);

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ