lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 5 Dec 2023 13:13:03 +0000
From: Geethasowjanya Akula <gakula@...vell.com>
To: Paolo Abeni <pabeni@...hat.com>, Zhipeng Lu <alexious@....edu.cn>
CC: Sunil Kovvuri Goutham <sgoutham@...vell.com>,
        Linu Cherian
	<lcherian@...vell.com>,
        Jerin Jacob Kollanukkaran <jerinj@...vell.com>,
        Hariprasad Kelam <hkelam@...vell.com>,
        Subbaraya Sundeep Bhatta
	<sbhatta@...vell.com>,
        "David S. Miller" <davem@...emloft.net>,
        Eric Dumazet
	<edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
        George Cherian
	<gcherian@...vell.com>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [EXT] Re: [PATCH] octeontx2-af: fix a use-after-free in
 rvu_npa_register_reporters



> -----Original Message-----
> From: Paolo Abeni <pabeni@...hat.com>
> Sent: Tuesday, December 5, 2023 6:05 PM
> To: Zhipeng Lu <alexious@....edu.cn>
> Cc: Sunil Kovvuri Goutham <sgoutham@...vell.com>; Linu Cherian
> <lcherian@...vell.com>; Geethasowjanya Akula <gakula@...vell.com>;
> Jerin Jacob Kollanukkaran <jerinj@...vell.com>; Hariprasad Kelam
> <hkelam@...vell.com>; Subbaraya Sundeep Bhatta
> <sbhatta@...vell.com>; David S. Miller <davem@...emloft.net>; Eric
> Dumazet <edumazet@...gle.com>; Jakub Kicinski <kuba@...nel.org>;
> George Cherian <gcherian@...vell.com>; netdev@...r.kernel.org; linux-
> kernel@...r.kernel.org
> Subject: [EXT] Re: [PATCH] octeontx2-af: fix a use-after-free in
> rvu_npa_register_reporters
> 
> External Email
> 
> ----------------------------------------------------------------------
> On Sat, 2023-12-02 at 17:59 +0800, Zhipeng Lu wrote:
> > The rvu_dl will be freed in rvu_npa_health_reporters_destroy(rvu_dl)
> > after the create_workqueue fails, and after that free, the rvu_dl will
> > be translate back through rvu_npa_health_reporters_create,
> > rvu_health_reporters_create, and rvu_register_dl. Finally it goes to
> > the err_dl_health label, being freed again in
> > rvu_health_reporters_destroy(rvu) by rvu_npa_health_reporters_destroy.
> > In the second calls of rvu_npa_health_reporters_destroy, however, it
> > uses rvu_dl->rvu_npa_health_reporter, which is already freed at the
> > end of rvu_npa_health_reporters_destroy in the first call.
> >
> > So this patch prevents the first destroy by instantly returning
> > -ENONMEN when create_workqueue fails. In addition, since the failure
> > of create_workqueue is the only entrence of label err, it has been
> > integrated into the error-handling path of create_workqueue.
> >
> > Fixes: f1168d1e207c ("octeontx2-af: Add devlink health reporters for
> > NPA")
> > Signed-off-by: Zhipeng Lu <alexious@....edu.cn>
> > ---
> >  drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 5 +----
> >  1 file changed, 1 insertion(+), 4 deletions(-)
> >
> > diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
> > b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
> > index 41df5ac23f92..058f75dc4c8a 100644
> > --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
> > +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
> > @@ -1285,7 +1285,7 @@ static int rvu_npa_register_reporters(struct
> > rvu_devlink *rvu_dl)
> >
> >  	rvu_dl->devlink_wq = create_workqueue("rvu_devlink_wq");
> >  	if (!rvu_dl->devlink_wq)
> > -		goto err;
> > +		return -ENOMEM;
> >
> >  	INIT_WORK(&rvu_reporters->intr_work, rvu_npa_intr_work);
> >  	INIT_WORK(&rvu_reporters->err_work, rvu_npa_err_work); @@ -
> 1293,9
> > +1293,6 @@ static int rvu_npa_register_reporters(struct rvu_devlink
> *rvu_dl)
> >  	INIT_WORK(&rvu_reporters->ras_work, rvu_npa_ras_work);
> >
> >  	return 0;
> > -err:
> > -	rvu_npa_health_reporters_destroy(rvu_dl);
> > -	return -ENOMEM;
> >  }
> >
> >  static int rvu_npa_health_reporters_create(struct rvu_devlink
> > *rvu_dl)
> 
> LGTM
> 
> Acked-by: Paolo Abeni <pabeni@...hat.com>
> 
> but allow some little more time for Marvel's people to have a better look.
> 
> Cheers,
> 
> Paolo
Ack. Thanks for the patch.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ