| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220806143043.106787-1-wangjialiang0806@163.com>
Date: Sat, 6 Aug 2022 22:30:43 +0800
From: Jialiang Wang <wangjialiang0806@....com>
To: simon.horman@...igine.com, kuba@...nel.org, davem@...emloft.net,
edumazet@...gle.com, pabeni@...hat.com, niejianglei2021@....com,
wangjialiang0806@....com
Cc: oss-drivers@...igine.com, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH] nfp: fix use-after-free in area_cache_get()
area_cache_get() calls cpp->op->area_init() and uses cache->area by
nfp_cpp_area_priv(area), but in
nfp_cpp_area_release()->nfp_cpp_area_put()->__release_cpp_area() we
already freed the cache->area.
To avoid the use-after-free, reallocate a piece of memory for the
cache->area by nfp_cpp_area_alloc().
Note: This vulnerability is triggerable by providing emulated device
equipped with specified configuration.
BUG: KASAN: use-after-free in nfp6000_area_init+0x74/0x1d0 [nfp]
Write of size 4 at addr ffff888005b490a0 by task insmod/226
Call Trace:
<TASK>
dump_stack_lvl+0x33/0x46
print_report.cold.12+0xb2/0x6b7
? nfp6000_area_init+0x74/0x1d0 [nfp]
kasan_report+0xa5/0x120
? nfp6000_area_init+0x74/0x1d0 [nfp]
nfp6000_area_init+0x74/0x1d0 [nfp]
area_cache_get.constprop.8+0x2da/0x360 [nfp]
Signed-off-by: Jialiang Wang <wangjialiang0806@....com>
---
drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c
index 34c0d2ddf9ef..99091f24d2ba 100644
--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c
+++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c
@@ -871,6 +871,10 @@ area_cache_get(struct nfp_cpp *cpp, u32 id,
nfp_cpp_area_release(cache->area);
cache->id = 0;
cache->addr = 0;
+ cache->area = nfp_cpp_area_alloc(cpp,
+ NFP_CPP_ID(7,
+ NFP_CPP_ACTION_RW, 0),
+ 0, cache->size);
}
/* Adjust the start address to be cache size aligned */
--
2.17.1
Powered by blists - more mailing lists