lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Sat,  6 Aug 2022 22:30:43 +0800
From:   Jialiang Wang <>
Subject: [PATCH] nfp: fix use-after-free in area_cache_get()

area_cache_get() calls cpp->op->area_init() and uses cache->area by
 nfp_cpp_area_priv(area), but in
 nfp_cpp_area_release()->nfp_cpp_area_put()->__release_cpp_area() we
 already freed the cache->area.

To avoid the use-after-free, reallocate a piece of memory for the
 cache->area by nfp_cpp_area_alloc().

Note: This vulnerability is triggerable by providing emulated device
 equipped with specified configuration.

BUG: KASAN: use-after-free in nfp6000_area_init+0x74/0x1d0 [nfp]
Write of size 4 at addr ffff888005b490a0 by task insmod/226
Call Trace:
  ? nfp6000_area_init+0x74/0x1d0 [nfp]
  ? nfp6000_area_init+0x74/0x1d0 [nfp]
  nfp6000_area_init+0x74/0x1d0 [nfp]
  area_cache_get.constprop.8+0x2da/0x360 [nfp]

Signed-off-by: Jialiang Wang <>
 drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c
index 34c0d2ddf9ef..99091f24d2ba 100644
--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c
+++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c
@@ -871,6 +871,10 @@ area_cache_get(struct nfp_cpp *cpp, u32 id,
 		cache->id = 0;
 		cache->addr = 0;
+		cache->area = nfp_cpp_area_alloc(cpp,
+						 NFP_CPP_ID(7,
+						 NFP_CPP_ACTION_RW, 0),
+						 0, cache->size);
 	/* Adjust the start address to be cache size aligned */

Powered by blists - more mailing lists