| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251024161304.724436-1-Pavel.Zhigulin@kaspersky.com>
Date: Fri, 24 Oct 2025 19:13:02 +0300
From: Pavel Zhigulin <Pavel.Zhigulin@...persky.com>
To: Jakub Kicinski <kuba@...nel.org>
CC: Pavel Zhigulin <Pavel.Zhigulin@...persky.com>, Paolo Abeni
<pabeni@...hat.com>, Zhu Yanjun <yanjun.zhu@...ux.dev>, Andrew Lunn
<andrew+netdev@...n.ch>, "David S. Miller" <davem@...emloft.net>, Eric
Dumazet <edumazet@...gle.com>, Leon Romanovsky <leon@...nel.org>, Steffen
Klassert <steffen.klassert@...unet.com>, Cosmin Ratiu <cratiu@...dia.com>,
Ayush Sawal <ayush.sawal@...lsio.com>, Harsh Jain <harsh@...lsio.com>, Atul
Gupta <atul.gupta@...lsio.com>, Herbert Xu <herbert@...dor.apana.org.au>,
Ganesh Goudar <ganeshgr@...lsio.com>, <netdev@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <lvc-project@...uxtesting.org>
Subject: [PATCH net v4] net: cxgb4/ch_ipsec: fix potential use-after-free in ch_ipsec_xfrm_add_state() callback
In ch_ipsec_xfrm_add_state() there is not check of try_module_get
return value. It is very unlikely, but try_module_get() could return
false value, which could cause use-after-free error.
Conditions: The module count must be zero, and a module unload in
progress. The thread doing the unload is blocked somewhere.
Another thread makes a callback into the module for some request
that (for instance) would need to create a kernel thread.
It tries to get a reference for the thread.
So try_module_get(THIS_MODULE) is the right call - and will fail here.
This fix adds checking the result of try_module_get call
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 6dad4e8ab3ec ("chcr: Add support for Inline IPSec")
Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@...persky.com>
---
v4: Add module_put() on allocation fail after try_module_get() as
Jakub Kicinski <kuba@...nel.org> noticed during review. Thanks!
v3: Move the try_module_get() check above the code that initializes
the sa_entry struct, as suggested by Paolo Abeni <pabeni@...hat.com>
during code review.
v2: Remove redundant headers. Provide better description.
v1: https://lore.kernel.org/all/20251001111646.806130-1-Pavel.Zhigulin@kaspersky.com/
.../ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c b/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
index ecd9a0bd5e18..49b57bb5fac1 100644
--- a/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
+++ b/drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
@@ -290,9 +290,15 @@ static int ch_ipsec_xfrm_add_state(struct net_device *dev,
return -EINVAL;
}
+ if (unlikely(!try_module_get(THIS_MODULE))) {
+ NL_SET_ERR_MSG_MOD(extack, "Failed to acquire module reference");
+ return -ENODEV;
+ }
+
sa_entry = kzalloc(sizeof(*sa_entry), GFP_KERNEL);
if (!sa_entry) {
res = -ENOMEM;
+ module_put(THIS_MODULE);
goto out;
}
@@ -301,7 +307,6 @@ static int ch_ipsec_xfrm_add_state(struct net_device *dev,
sa_entry->esn = 1;
ch_ipsec_setkey(x, sa_entry);
x->xso.offload_handle = (unsigned long)sa_entry;
- try_module_get(THIS_MODULE);
out:
return res;
}
--
2.43.0
Powered by blists - more mailing lists