lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Dec 2022 19:40:26 +0100 From: Michal Swiatkowski <michal.swiatkowski@...ux.intel.com> To: Daniil Tatianin <d-tatianin@...dex-team.ru> Cc: Shahed Shaikh <shshaikh@...vell.com>, Manish Chopra <manishc@...vell.com>, GR-Linux-NIC-Dev@...vell.com, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH v1] qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure On Wed, Dec 21, 2022 at 10:47:29AM +0300, Daniil Tatianin wrote: > On 12/20/22 4:32 PM, Michal Swiatkowski wrote: > > On Tue, Dec 20, 2022 at 03:56:49PM +0300, Daniil Tatianin wrote: > > > adapter->dcb would get silently freed inside qlcnic_dcb_enable() in > > > case qlcnic_dcb_attach() would return an error, which always happens > > > under OOM conditions. This would lead to use-after-free because both > > > of the existing callers invoke qlcnic_dcb_get_info() on the obtained > > > pointer, which is potentially freed at that point. > > > > > > Propagate errors from qlcnic_dcb_enable(), and instead free the dcb > > > pointer at callsite. > > > > > > Found by Linux Verification Center (linuxtesting.org) with the SVACE > > > static analysis tool. > > > > > > Signed-off-by: Daniil Tatianin <d-tatianin@...dex-team.ru> > > > > Please add Fix tag and net as target (net-next is close till the end of > > this year) > > > Sorry, I'll include a fixes tag. > Could you please explain what I would have to do to add net as target? Sorry, maybe it was bad wording. I meant to have PATCH net v2 in title. For example by adding to git format-patch: --subject-prefix="PATCH net v2" > > > --- > > > drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 9 ++++++++- > > > drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.h | 5 ++--- > > > drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c | 9 ++++++++- > > > 3 files changed, 18 insertions(+), 5 deletions(-) > > > > > > diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c > > > index dbb800769cb6..465f149d94d4 100644 > > > --- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c > > > +++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c > > > @@ -2505,7 +2505,14 @@ int qlcnic_83xx_init(struct qlcnic_adapter *adapter) > > > goto disable_mbx_intr; > > > qlcnic_83xx_clear_function_resources(adapter); > > > - qlcnic_dcb_enable(adapter->dcb); > > > + > > > + err = qlcnic_dcb_enable(adapter->dcb); > > > + if (err) { > > > + qlcnic_clear_dcb_ops(adapter->dcb); > > > + adapter->dcb = NULL; > > > + goto disable_mbx_intr; > > > + } > > > > Maybe I miss sth but it looks like there can be memory leak. > > For example if error in attach happen after allocating of dcb->cfg. > > Isn't it better to call qlcnic_dcb_free instead of qlcnic_clear_dcb_ops? > I think you're right, if attach fails midway then we might leak cfg or > something else. > I'll use qlcnic_dcb_free() instead and completely remove > qlcnic_clear_dcb_ops() as it > seems to be unused and relies on dcb being in a very specific state. Great, thanks [...]
Powered by blists - more mailing lists