| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <SJ1PR11MB6297415A2DAD536807C0EF609B3AA@SJ1PR11MB6297.namprd11.prod.outlook.com>
Date: Fri, 29 Aug 2025 17:23:27 +0000
From: "Salin, Samuel" <samuel.salin@...el.com>
To: "Hay, Joshua A" <joshua.a.hay@...el.com>,
"intel-wired-lan@...ts.osuosl.org" <intel-wired-lan@...ts.osuosl.org>
CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "Zaremba, Larysa"
<larysa.zaremba@...el.com>, "Hay, Joshua A" <joshua.a.hay@...el.com>,
"Loktionov, Aleksandr" <aleksandr.loktionov@...el.com>
Subject: RE: [Intel-wired-lan] [PATCH iwl-net] idpf: fix UAF in RDMA core aux
dev deinitialization
> -----Original Message-----
> From: Intel-wired-lan <intel-wired-lan-bounces@...osl.org> On Behalf Of
> Joshua Hay
> Sent: Monday, August 11, 2025 5:19 PM
> To: intel-wired-lan@...ts.osuosl.org
> Cc: netdev@...r.kernel.org; Zaremba, Larysa <larysa.zaremba@...el.com>;
> Hay, Joshua A <joshua.a.hay@...el.com>; Loktionov, Aleksandr
> <aleksandr.loktionov@...el.com>
> Subject: [Intel-wired-lan] [PATCH iwl-net] idpf: fix UAF in RDMA core aux dev
> deinitialization
>
> Free the adev->id before auxiliary_device_uninit. The call to uninit triggers the
> release callback, which frees the iadev memory containing the adev. The
> previous flow results in a UAF during rmmod due to the adev->id access.
>
> [264939.604077]
> ==================================================================
> [264939.604093] BUG: KASAN: slab-use-after-free in
> idpf_idc_deinit_core_aux_device+0xe4/0x100 [idpf] [264939.604134] Read
> of size 4 at addr ff1100109eb6eaf8 by task rmmod/17842
>
> ...
>
> [264939.604635] Allocated by task 17597:
> [264939.604643] kasan_save_stack+0x20/0x40 [264939.604654]
> kasan_save_track+0x14/0x30 [264939.604663] __kasan_kmalloc+0x8f/0xa0
> [264939.604672] idpf_idc_init_aux_core_dev+0x4bd/0xb60 [idpf]
> [264939.604700] idpf_idc_init+0x55/0xd0 [idpf] [264939.604726]
> process_one_work+0x658/0xfe0 [264939.604742]
> worker_thread+0x6e1/0xf10 [264939.604750] kthread+0x382/0x740
> [264939.604762] ret_from_fork+0x23a/0x310 [264939.604772]
> ret_from_fork_asm+0x1a/0x30
>
> [264939.604785] Freed by task 17842:
> [264939.604790] kasan_save_stack+0x20/0x40 [264939.604799]
> kasan_save_track+0x14/0x30 [264939.604808]
> kasan_save_free_info+0x3b/0x60 [264939.604820]
> __kasan_slab_free+0x37/0x50 [264939.604830] kfree+0xf1/0x420
> [264939.604840] device_release+0x9c/0x210 [264939.604850]
> kobject_put+0x17c/0x4b0 [264939.604860]
> idpf_idc_deinit_core_aux_device+0x4f/0x100 [idpf] [264939.604886]
> idpf_vc_core_deinit+0xba/0x3a0 [idpf] [264939.604915]
> idpf_remove+0xb0/0x7c0 [idpf] [264939.604944]
> pci_device_remove+0xab/0x1e0 [264939.604955]
> device_release_driver_internal+0x371/0x530
> [264939.604969] driver_detach+0xbf/0x180 [264939.604981]
> bus_remove_driver+0x11b/0x2a0 [264939.604991]
> pci_unregister_driver+0x2a/0x250 [264939.605005]
> __do_sys_delete_module.constprop.0+0x2eb/0x540
> [264939.605014] do_syscall_64+0x64/0x2c0 [264939.605024]
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
>
> Fixes: f4312e6bfa2a ("idpf: implement core RDMA auxiliary dev create, init,
> and destroy")
> Signed-off-by: Joshua Hay <joshua.a.hay@...el.com>
> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@...el.com>
> ---
> 2.39.2
Tested-by: Samuel Salin <Samuel.salin@...el.com>
Powered by blists - more mailing lists