lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <SJ1PR11MB6297415A2DAD536807C0EF609B3AA@SJ1PR11MB6297.namprd11.prod.outlook.com>
Date: Fri, 29 Aug 2025 17:23:27 +0000
From: "Salin, Samuel" <samuel.salin@...el.com>
To: "Hay, Joshua A" <joshua.a.hay@...el.com>,
	"intel-wired-lan@...ts.osuosl.org" <intel-wired-lan@...ts.osuosl.org>
CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "Zaremba, Larysa"
	<larysa.zaremba@...el.com>, "Hay, Joshua A" <joshua.a.hay@...el.com>,
	"Loktionov, Aleksandr" <aleksandr.loktionov@...el.com>
Subject: RE: [Intel-wired-lan] [PATCH iwl-net] idpf: fix UAF in RDMA core aux
 dev deinitialization



> -----Original Message-----
> From: Intel-wired-lan <intel-wired-lan-bounces@...osl.org> On Behalf Of
> Joshua Hay
> Sent: Monday, August 11, 2025 5:19 PM
> To: intel-wired-lan@...ts.osuosl.org
> Cc: netdev@...r.kernel.org; Zaremba, Larysa <larysa.zaremba@...el.com>;
> Hay, Joshua A <joshua.a.hay@...el.com>; Loktionov, Aleksandr
> <aleksandr.loktionov@...el.com>
> Subject: [Intel-wired-lan] [PATCH iwl-net] idpf: fix UAF in RDMA core aux dev
> deinitialization
> 
> Free the adev->id before auxiliary_device_uninit. The call to uninit triggers the
> release callback, which frees the iadev memory containing the adev. The
> previous flow results in a UAF during rmmod due to the adev->id access.
> 
> [264939.604077]
> ==================================================================
> [264939.604093] BUG: KASAN: slab-use-after-free in
> idpf_idc_deinit_core_aux_device+0xe4/0x100 [idpf] [264939.604134] Read
> of size 4 at addr ff1100109eb6eaf8 by task rmmod/17842
> 
> ...
> 
> [264939.604635] Allocated by task 17597:
> [264939.604643]  kasan_save_stack+0x20/0x40 [264939.604654]
> kasan_save_track+0x14/0x30 [264939.604663]  __kasan_kmalloc+0x8f/0xa0
> [264939.604672]  idpf_idc_init_aux_core_dev+0x4bd/0xb60 [idpf]
> [264939.604700]  idpf_idc_init+0x55/0xd0 [idpf] [264939.604726]
> process_one_work+0x658/0xfe0 [264939.604742]
> worker_thread+0x6e1/0xf10 [264939.604750]  kthread+0x382/0x740
> [264939.604762]  ret_from_fork+0x23a/0x310 [264939.604772]
> ret_from_fork_asm+0x1a/0x30
> 
> [264939.604785] Freed by task 17842:
> [264939.604790]  kasan_save_stack+0x20/0x40 [264939.604799]
> kasan_save_track+0x14/0x30 [264939.604808]
> kasan_save_free_info+0x3b/0x60 [264939.604820]
> __kasan_slab_free+0x37/0x50 [264939.604830]  kfree+0xf1/0x420
> [264939.604840]  device_release+0x9c/0x210 [264939.604850]
> kobject_put+0x17c/0x4b0 [264939.604860]
> idpf_idc_deinit_core_aux_device+0x4f/0x100 [idpf] [264939.604886]
> idpf_vc_core_deinit+0xba/0x3a0 [idpf] [264939.604915]
> idpf_remove+0xb0/0x7c0 [idpf] [264939.604944]
> pci_device_remove+0xab/0x1e0 [264939.604955]
> device_release_driver_internal+0x371/0x530
> [264939.604969]  driver_detach+0xbf/0x180 [264939.604981]
> bus_remove_driver+0x11b/0x2a0 [264939.604991]
> pci_unregister_driver+0x2a/0x250 [264939.605005]
> __do_sys_delete_module.constprop.0+0x2eb/0x540
> [264939.605014]  do_syscall_64+0x64/0x2c0 [264939.605024]
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
> 
> Fixes: f4312e6bfa2a ("idpf: implement core RDMA auxiliary dev create, init,
> and destroy")
> Signed-off-by: Joshua Hay <joshua.a.hay@...el.com>
> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@...el.com>
> ---
> 2.39.2

Tested-by: Samuel Salin <Samuel.salin@...el.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ