lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <730cf5ed-2239-34f7-79a5-ffa4d9bb8fae@sangfor.com.cn>
Date:   Mon, 1 May 2023 15:41:18 +0800
From:   Ding Hui <dinghui@...gfor.com.cn>
To:     Simon Horman <simon.horman@...igine.com>
Cc:     davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
        pabeni@...hat.com, intel-wired-lan@...ts.osuosl.org,
        jesse.brandeburg@...el.com, anthony.l.nguyen@...el.com,
        keescook@...omium.org, grzegorzx.szczurek@...el.com,
        mateusz.palczewski@...el.com, mitch.a.williams@...el.com,
        gregory.v.rose@...el.com, jeffrey.t.kirsher@...el.com,
        michal.kubiak@...el.com, madhu.chittim@...el.com,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-hardening@...r.kernel.org, pengdonglin@...gfor.com.cn,
        huangcun@...gfor.com.cn
Subject: Re: [PATCH net v3 1/2] iavf: Fix use-after-free in free_netdev

On 2023/5/1 15:01, Simon Horman wrote:
> On Sat, Apr 29, 2023 at 09:20:21PM +0800, Ding Hui wrote:
>> We do netif_napi_add() for all allocated q_vectors[], but potentially
>> do netif_napi_del() for part of them, then kfree q_vectors and leave
>> invalid pointers at dev->napi_list.
>>
>> ...
>>
>> Although the patch #2 (of 2) can avoid the issuse triggered by this
>> repro.sh, there still are other potential risks that if num_active_queues
>> is changed to less than allocated q_vectors[] by unexpected, the
>> mismatched netif_napi_add/del() can also casue UAF.
> 
> nit: ./checkpatch --codespell tells me:
> 
>       s/casue/cause/
> 

Sorry, I'll fix it in v4.

>> Since we actually call netif_napi_add() for all allocated q_vectors
>> unconditionally in iavf_alloc_q_vectors(), so we should fix it by
>> letting netif_napi_del() match to netif_napi_add().
>>
>> Fixes: 5eae00c57f5e ("i40evf: main driver core")
>> Signed-off-by: Ding Hui <dinghui@...gfor.com.cn>
>> Cc: Donglin Peng <pengdonglin@...gfor.com.cn>
>> Cc: Huang Cun <huangcun@...gfor.com.cn>
>> Reviewed-by: Simon Horman <simon.horman@...igine.com>
>> Reviewed-by: Michal Kubiak <michal.kubiak@...el.com>
>> Reviewed-by: Madhu Chittim <madhu.chittim@...el.com>
> 
> 
> 

-- 
Thanks,
-dinghui

Powered by blists - more mailing lists