| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Jun 2023 22:47:21 -0700
From: Saeed Mahameed <saeed@...nel.org>
To: "David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
Eric Dumazet <edumazet@...gle.com>
Cc: Saeed Mahameed <saeedm@...dia.com>,
netdev@...r.kernel.org,
Tariq Toukan <tariqt@...dia.com>,
Shay Drory <shayd@...dia.com>,
Dan Carpenter <dan.carpenter@...aro.org>,
Automatic Verification <verifier@...dia.com>,
Gal Pressman <gal@...dia.com>,
Moshe Shemesh <moshe@...dia.com>
Subject: [net-next 01/15] net/mlx5: Fix UAF in mlx5_eswitch_cleanup()
From: Shay Drory <shayd@...dia.com>
mlx5_eswitch_cleanup() is using esw right after freeing it for
releasing devlink_param.
Fix it by releasing the devlink_param before freeing the esw, and
adjust the create function accordingly.
Fixes: 3f90840305e2 ("net/mlx5: Move esw multiport devlink param to eswitch code")
Reported-by: Dan Carpenter <dan.carpenter@...aro.org>
Signed-off-by: Shay Drory <shayd@...dia.com>
Reviewed-by: Automatic Verification <verifier@...dia.com>
Reviewed-by: Gal Pressman <gal@...dia.com>
Reviewed-by: Moshe Shemesh <moshe@...dia.com>
Signed-off-by: Saeed Mahameed <saeedm@...dia.com>
---
.../net/ethernet/mellanox/mlx5/core/eswitch.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
index 5aaedbf71783..b4e465856127 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
@@ -1751,16 +1751,14 @@ int mlx5_eswitch_init(struct mlx5_core_dev *dev)
if (!MLX5_VPORT_MANAGER(dev) && !MLX5_ESWITCH_MANAGER(dev))
return 0;
+ esw = kzalloc(sizeof(*esw), GFP_KERNEL);
+ if (!esw)
+ return -ENOMEM;
+
err = devl_params_register(priv_to_devlink(dev), mlx5_eswitch_params,
ARRAY_SIZE(mlx5_eswitch_params));
if (err)
- return err;
-
- esw = kzalloc(sizeof(*esw), GFP_KERNEL);
- if (!esw) {
- err = -ENOMEM;
- goto unregister_param;
- }
+ goto free_esw;
esw->dev = dev;
esw->manager_vport = mlx5_eswitch_manager_vport(dev);
@@ -1821,10 +1819,10 @@ int mlx5_eswitch_init(struct mlx5_core_dev *dev)
if (esw->work_queue)
destroy_workqueue(esw->work_queue);
debugfs_remove_recursive(esw->debugfs_root);
- kfree(esw);
-unregister_param:
devl_params_unregister(priv_to_devlink(dev), mlx5_eswitch_params,
ARRAY_SIZE(mlx5_eswitch_params));
+free_esw:
+ kfree(esw);
return err;
}
@@ -1848,9 +1846,9 @@ void mlx5_eswitch_cleanup(struct mlx5_eswitch *esw)
esw_offloads_cleanup(esw);
mlx5_esw_vports_cleanup(esw);
debugfs_remove_recursive(esw->debugfs_root);
- kfree(esw);
devl_params_unregister(priv_to_devlink(esw->dev), mlx5_eswitch_params,
ARRAY_SIZE(mlx5_eswitch_params));
+ kfree(esw);
}
/* Vport Administration */
--
2.41.0
Powered by blists - more mailing lists