lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <730cf5ed-2239-34f7-79a5-ffa4d9bb8fae@sangfor.com.cn> Date: Mon, 1 May 2023 15:41:18 +0800 From: Ding Hui <dinghui@...gfor.com.cn> To: Simon Horman <simon.horman@...igine.com> Cc: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, intel-wired-lan@...ts.osuosl.org, jesse.brandeburg@...el.com, anthony.l.nguyen@...el.com, keescook@...omium.org, grzegorzx.szczurek@...el.com, mateusz.palczewski@...el.com, mitch.a.williams@...el.com, gregory.v.rose@...el.com, jeffrey.t.kirsher@...el.com, michal.kubiak@...el.com, madhu.chittim@...el.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org, pengdonglin@...gfor.com.cn, huangcun@...gfor.com.cn Subject: Re: [PATCH net v3 1/2] iavf: Fix use-after-free in free_netdev On 2023/5/1 15:01, Simon Horman wrote: > On Sat, Apr 29, 2023 at 09:20:21PM +0800, Ding Hui wrote: >> We do netif_napi_add() for all allocated q_vectors[], but potentially >> do netif_napi_del() for part of them, then kfree q_vectors and leave >> invalid pointers at dev->napi_list. >> >> ... >> >> Although the patch #2 (of 2) can avoid the issuse triggered by this >> repro.sh, there still are other potential risks that if num_active_queues >> is changed to less than allocated q_vectors[] by unexpected, the >> mismatched netif_napi_add/del() can also casue UAF. > > nit: ./checkpatch --codespell tells me: > > s/casue/cause/ > Sorry, I'll fix it in v4. >> Since we actually call netif_napi_add() for all allocated q_vectors >> unconditionally in iavf_alloc_q_vectors(), so we should fix it by >> letting netif_napi_del() match to netif_napi_add(). >> >> Fixes: 5eae00c57f5e ("i40evf: main driver core") >> Signed-off-by: Ding Hui <dinghui@...gfor.com.cn> >> Cc: Donglin Peng <pengdonglin@...gfor.com.cn> >> Cc: Huang Cun <huangcun@...gfor.com.cn> >> Reviewed-by: Simon Horman <simon.horman@...igine.com> >> Reviewed-by: Michal Kubiak <michal.kubiak@...el.com> >> Reviewed-by: Madhu Chittim <madhu.chittim@...el.com> > > > -- Thanks, -dinghui
Powered by blists - more mailing lists