lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Sun, 19 Jun 2022 06:24:06 +0000
From:   <wentao_liang_g@....com>
To:     "kuba@...nel.org" <kuba@...nel.org>
CC:     "jdmason@...zu.us" <jdmason@...zu.us>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "edumazet@...gle.com" <edumazet@...gle.com>,
        "pabeni@...hat.com" <pabeni@...hat.com>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] drivers/net/ethernet/neterion/vxge: Fix a use-after-free
 bug in vxge-main.c

Hi,

I have replied your mail and answered your questions about my 
patch a few days ago as follow. Do you have any more question? 
I have already renewed the patch with the correct subject and tag.

I am looking forward to the patch being accepted and merged.
 
Thanks
 
Wentao
 
 
>No errors happening during a test is not a sufficient proof of
>correctness. You need to analyze the driver and figure out what bar0 
>is used for.
 
Bar0 is a Base Address Register (BAR) in PCIe devices. It points
 to the memory space of the device. When the device is removed, 
we need to iounmap it. We check the related code and do not find 
bar0 is reference in the remaining part of vxge_remove(). We believe 
move the iounmap to the front of vxge_device_unregister is properly.
 
 
>Alternatively just save the address of bar0 to a local variable, let
>the netdev unregister happen, and then call *unmap() on the local
>variable. That won't move the unmap and avoid the UAF.
 
This is not a right way to patch the bug. The UAF is not triggered
 by accessing the address itself but accessing the memory pointed 
by bar0. Even if the address is saved, the memory is still freed. 
Accessing the memory in iounmap will result in UAF as well. The 
experiment also proved it.
 
>But please LMK how you use these cards first.
 
In order to trigger the vulnerability, a vxge device is required. 
We use QEMU to emulate the device.
 
Besides, I want to point out that the UAF bug does is in the remove 
routine of the device. There is not any operation to a removed device. 
If the device can be removed safely in the patched kernel, we do not 
have to warry about anything else.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ