lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <896cec0e-53b5-42ce-a273-6954570466e2@stanley.mountain>
Date: Fri, 21 Mar 2025 17:36:09 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Lin Ma <linma@....edu.cn>
Cc: netdev@...r.kernel.org
Subject: [bug report] net: nfc: Fix use-after-free caused by
 nfc_llcp_find_local

Hello Lin Ma,

Commit 6709d4b7bc2e ("net: nfc: Fix use-after-free caused by
nfc_llcp_find_local") from Jun 25, 2023 (linux-next), leads to the
following Smatch static checker warning:

	net/nfc/llcp_core.c:650 nfc_llcp_general_bytes()
	warn: 'local' was already freed. (line 648)

net/nfc/llcp_core.c
    634 u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len)
    635 {
    636         struct nfc_llcp_local *local;
    637 
    638         local = nfc_llcp_find_local(dev);

This takes a reference to local.

    639         if (local == NULL) {
    640                 *general_bytes_len = 0;
    641                 return NULL;
    642         }
    643 
    644         nfc_llcp_build_gb(local);
    645 
    646         *general_bytes_len = local->gb_len;
    647 
    648         nfc_llcp_local_put(local);

Here we drop the reference.  Meaning that another thread could easily
drop their reference and then we're in a use after free.

    649 
--> 650         return local->gb;

The ->gb array is a buffer in the middle of the local array.  We
should hold onto the reference and only drop it in the caller when
the caller is finished with ->gb.

    651 }

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ