lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 12 May 2022 09:20:58 +0200
From:   Paolo Abeni <pabeni@...hat.com>
To:     Zixuan Fu <r33s3n6@...il.com>, doshir@...are.com,
        pv-drivers@...are.com, davem@...emloft.net, edumazet@...gle.com,
        kuba@...nel.org
Cc:     netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        baijiaju1990@...il.com, TOTE Robot <oslab@...nghua.edu.cn>
Subject: Re: [PATCH v2] drivers: net: vmxnet3: fix possible use-after-free
 bugs in vmxnet3_rq_alloc_rx_buf()

Hello,

On Tue, 2022-05-10 at 21:17 +0800, Zixuan Fu wrote:
> In vmxnet3_rq_alloc_rx_buf(), when dma_map_single() fails, rbi->skb is
> freed immediately. Similarly, in another branch, when dma_map_page() fails,
> rbi->page is also freed. In the two cases, vmxnet3_rq_alloc_rx_buf()
> returns an error to its callers vmxnet3_rq_init() -> vmxnet3_rq_init_all()
> -> vmxnet3_activate_dev(). Then vmxnet3_activate_dev() calls
> vmxnet3_rq_cleanup_all() in error handling code, and rbi->skb or rbi->page
> are freed again in vmxnet3_rq_cleanup_all(), causing use-after-free bugs.
> 
> To fix these possible bugs, rbi->skb and rbi->page should be cleared after
> they are freed.
> 
> The error log in our fault-injection testing is shown as follows:
> 
> [   14.319016] BUG: KASAN: use-after-free in consume_skb+0x2f/0x150
> ...
> [   14.321586] Call Trace:
> ...
> [   14.325357]  consume_skb+0x2f/0x150
> [   14.325671]  vmxnet3_rq_cleanup_all+0x33a/0x4e0 [vmxnet3]
> [   14.326150]  vmxnet3_activate_dev+0xb9d/0x2ca0 [vmxnet3]
> [   14.326616]  vmxnet3_open+0x387/0x470 [vmxnet3]
> ...
> [   14.361675] Allocated by task 351:
> ...
> [   14.362688]  __netdev_alloc_skb+0x1b3/0x6f0
> [   14.362960]  vmxnet3_rq_alloc_rx_buf+0x1b0/0x8d0 [vmxnet3]
> [   14.363317]  vmxnet3_activate_dev+0x3e3/0x2ca0 [vmxnet3]
> [   14.363661]  vmxnet3_open+0x387/0x470 [vmxnet3]
> ...
> [   14.367309] 
> [   14.367412] Freed by task 351:
> ...
> [   14.368932]  __dev_kfree_skb_any+0xd2/0xe0
> [   14.369193]  vmxnet3_rq_alloc_rx_buf+0x71e/0x8d0 [vmxnet3]
> [   14.369544]  vmxnet3_activate_dev+0x3e3/0x2ca0 [vmxnet3]
> [   14.369883]  vmxnet3_open+0x387/0x470 [vmxnet3]
> [   14.370174]  __dev_open+0x28a/0x420
> [   14.370399]  __dev_change_flags+0x192/0x590
> [   14.370667]  dev_change_flags+0x7a/0x180
> [   14.370919]  do_setlink+0xb28/0x3570
> [   14.371150]  rtnl_newlink+0x1160/0x1740
> [   14.371399]  rtnetlink_rcv_msg+0x5bf/0xa50
> [   14.371661]  netlink_rcv_skb+0x1cd/0x3e0
> [   14.371913]  netlink_unicast+0x5dc/0x840
> [   14.372169]  netlink_sendmsg+0x856/0xc40
> [   14.372420]  ____sys_sendmsg+0x8a7/0x8d0
> [   14.372673]  __sys_sendmsg+0x1c2/0x270
> [   14.372914]  do_syscall_64+0x41/0x90
> [   14.373145]  entry_SYSCALL_64_after_hwframe+0x44/0xae
> ...
> 
> Reported-by: TOTE Robot <oslab@...nghua.edu.cn>
> Signed-off-by: Zixuan Fu <r33s3n6@...il.com>

This looks like targeting the 'net' tree. You should specify that in
the patch subj. More importantly you should provide a 'Fixes' tag
pointing to commit introducing the issue.

Please provide a new version addressing the above.

Thanks,

Paolo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ