| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Nov 2021 11:08:17 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: Pavel Skripkin <paskripkin@...il.com>
Cc: ioana.ciornei@....com, davem@...emloft.net, kuba@...nel.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
stable@...r.kernel.org
Subject: Re: [PATCH] net: dpaa2-eth: fix use-after-free in dpaa2_eth_remove
On Sat, Nov 13, 2021 at 08:20:13PM +0300, Pavel Skripkin wrote:
> Access to netdev after free_netdev() will cause use-after-free bug.
> Move debug log before free_netdev() call to avoid it.
>
> Cc: stable@...r.kernel.org # v4.19+
> Signed-off-by: Pavel Skripkin <paskripkin@...il.com>
> ---
>
> Note about Fixes: tag. The commit introduced it was before this driver
> was moved out from staging. I guess, Fixes tag cannot be used here.
> Please, let me know if I am wrong.
>
You should still use the Fixes tag.
> Cc: Dan Carpenter <dan.carpenter@...cle.com>
>
> @Dan, is there a smatch checker for straigthforward use after free bugs?
> Like acessing pointer after free was called? I think, adding
> free_netdev() to check list might be good idea
>
> I've skimmed througth smatch source and didn't find one, so can you,
> please, point out to it if it exists.
It's check_free_strict.c.
It does cross function analysis but free_netdev() is tricky because it
doesn't free directly, it just drops the reference count. Also it
delays freeing in the NETREG_UNREGISTERING path so this check might
cause false positives? I'll add free_netdev() to the list of free
functions and test it overnight tonight.
register_free_hook("free_netdev", &match_free, 0);
regards,
dan carpenter
Powered by blists - more mailing lists