lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 Jun 2022 13:21:02 +0200 From: Paolo Abeni <pabeni@...hat.com> To: Wentao_Liang <Wentao_Liang_g@....com>, jdmason@...zu.us, davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] Fix a use-after-free bug On Tue, 2022-06-14 at 09:28 +0800, Wentao_Liang wrote: > The pointer vdev points to a memory region adjacent to a net_device > structure ndev, which is a field of hldev. At line 4740, the invocation > to vxge_device_unregister unregisters device hldev, and it also releases > the memory region pointed by vdev->bar0. At line 4743, the freed memory > region is referenced (i.e., iounmap(vdev->bar0)), resulting in a > use-after-free vulnerability. We can fix the bug by calling iounmap > before vxge_device_unregister. > > 4721. static void vxge_remove(struct pci_dev *pdev) > 4722. { > 4723. struct __vxge_hw_device *hldev; > 4724. struct vxgedev *vdev; > … > 4731. vdev = netdev_priv(hldev->ndev); > … > 4740. vxge_device_unregister(hldev); > 4741. /* Do not call pci_disable_sriov here, as it > will break child devices */ > 4742. vxge_hw_device_terminate(hldev); > 4743. iounmap(vdev->bar0); > … > 4749 vxge_debug_init(vdev->level_trace, "%s:%d > Device unregistered", > 4750 __func__, __LINE__); > 4751 vxge_debug_entryexit(vdev->level_trace, "%s:%d > Exiting...", __func__, > 4752 __LINE__); > 4753. } > > This is the screenshot when the vulnerability is triggered by using > KASAN. We can see that there is a use-after-free reported by KASAN. > > /***********************report begin***************************/ > > root@...nel:~# echo 1 > /sys/bus/pci/devices/0000:00:03.0/remove > [ 178.296316] vxge_remove > [ 182.057081] > ================================================================== > [ 182.057548] BUG: KASAN: use-after-free in vxge_remove+0xe0/0x15c > [ 182.057760] Read of size 8 at addr ffff888006c76598 by task bash/119 > [ 182.057983] > [ 182.058747] CPU: 0 PID: 119 Comm: bash Not tainted 5.18.0 #5 > [ 182.058919] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), > BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 > [ 182.059463] Call Trace: > [ 182.059726] <TASK> > [ 182.060017] dump_stack_lvl+0x34/0x44 > [ 182.060316] print_report.cold+0xb2/0x6b7 > [ 182.060401] ? kfree+0x89/0x290 > [ 182.060478] ? vxge_remove+0xe0/0x15c > [ 182.060545] kasan_report+0xa9/0x120 > ... > [ 182.070606] > ================================================================== > [ 182.071374] Disabling lock debugging due to kernel taint > > /************************report end***************************/ It's better to include a complete backtrace > > After fixing the bug as done in the patch, we can find KASAN do not report > the bug and the device(00:03.0) has been successfully removed. > > /************************report begin*************************/ > > root@...nel:~# echo 1 > /sys/bus/pci/devices/0000:00:03.0/remove > root@...nel:~# > > /************************report end***************************/ > > Signed-off-by: Wentao_Liang <Wentao_Liang_g@....com> Please include a 'Fixes' tag pointing to the commit introducing the bug, and please specify the relevant target tree and driver in the patch subj. It should be something alike: [PATCH net v2] vxge: fix a use-after-free bug Thanks, Paolo > --- > drivers/net/ethernet/neterion/vxge/vxge-main.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/ethernet/neterion/vxge/vxge-main.c b/drivers/net/ethernet/neterion/vxge/vxge-main.c > index fa5d4ddf429b..092fd0ae5831 100644 > --- a/drivers/net/ethernet/neterion/vxge/vxge-main.c > +++ b/drivers/net/ethernet/neterion/vxge/vxge-main.c > @@ -4736,10 +4736,10 @@ static void vxge_remove(struct pci_dev *pdev) > for (i = 0; i < vdev->no_of_vpath; i++) > vxge_free_mac_add_list(&vdev->vpaths[i]); > > + iounmap(vdev->bar0); > vxge_device_unregister(hldev); > /* Do not call pci_disable_sriov here, as it will break child devices */ > vxge_hw_device_terminate(hldev); > - iounmap(vdev->bar0); > pci_release_region(pdev, 0); > pci_disable_device(pdev); > driver_config->config_dev_cnt--;
Powered by blists - more mailing lists