lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220808121536.412c042d@kernel.org> Date: Mon, 8 Aug 2022 12:15:36 -0700 From: Jakub Kicinski <kuba@...nel.org> To: Jialiang Wang <wangjialiang0806@....com> Cc: simon.horman@...igine.com, davem@...emloft.net, edumazet@...gle.com, pabeni@...hat.com, niejianglei2021@....com, oss-drivers@...igine.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] nfp: fix use-after-free in area_cache_get() On Sat, 6 Aug 2022 22:30:43 +0800 Jialiang Wang wrote: > area_cache_get() calls cpp->op->area_init() and uses cache->area by > nfp_cpp_area_priv(area), but in > nfp_cpp_area_release()->nfp_cpp_area_put()->__release_cpp_area() we > already freed the cache->area. > > To avoid the use-after-free, reallocate a piece of memory for the > cache->area by nfp_cpp_area_alloc(). > > Note: This vulnerability is triggerable by providing emulated device > equipped with specified configuration. > > BUG: KASAN: use-after-free in nfp6000_area_init+0x74/0x1d0 [nfp] > Write of size 4 at addr ffff888005b490a0 by task insmod/226 > Call Trace: > <TASK> > dump_stack_lvl+0x33/0x46 > print_report.cold.12+0xb2/0x6b7 > ? nfp6000_area_init+0x74/0x1d0 [nfp] > kasan_report+0xa5/0x120 > ? nfp6000_area_init+0x74/0x1d0 [nfp] > nfp6000_area_init+0x74/0x1d0 [nfp] > area_cache_get.constprop.8+0x2da/0x360 [nfp] Please provide more of the report, including the allocated at and freed at sections and run the thing thru stack decode so we get the line numbers.
Powered by blists - more mailing lists