[PATCH] net/mlx5/core/fpga/ipsec: Fix use-after-free

[PATCH] net/mlx5/core/fpga/ipsec: Fix use-after-free

[Gustavo A. R. Silva]

_rule_ is being freed and then dereferenced by accessing rule->ctx

Fix this by copying the value returned by PTR_ERR(rule->ctx) into a local
variable for its safe use after freeing _rule_

Addresses-Coverity-ID: 1466041 ("Read from pointer after free")
Fixes: 05564d0ae075 ("net/mlx5: Add flow-steering commands for FPGA IPSec implementation")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
---
 drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
index 4f15685..0f5da49 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
@@ -1061,8 +1061,9 @@ static int fpga_ipsec_fs_create_fte(struct mlx5_core_dev *dev,
 
 	rule->ctx = mlx5_fpga_ipsec_fs_create_sa_ctx(dev, fte, is_egress);
 	if (IS_ERR(rule->ctx)) {
+		int err = PTR_ERR(rule->ctx);
 		kfree(rule);
-		return PTR_ERR(rule->ctx);
+		return err;
 	}
 
 	rule->fte = fte;
-- 
2.7.4

Re: [PATCH] net/mlx5/core/fpga/ipsec: Fix use-after-free

[Yuval Shaia]

On Thu, Mar 22, 2018 at 01:03:42PM -0500, Gustavo A. R. Silva wrote:
> _rule_ is being freed and then dereferenced by accessing rule->ctx
> 
> Fix this by copying the value returned by PTR_ERR(rule->ctx) into a local
> variable for its safe use after freeing _rule_
> 
> Addresses-Coverity-ID: 1466041 ("Read from pointer after free")
> Fixes: 05564d0ae075 ("net/mlx5: Add flow-steering commands for FPGA IPSec implementation")
> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>

Prefix should not be that long, a short one as this is enough.

net/mlx5: Fix use-after-free

Besides that - lgtm.

Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>

> ---
>  drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
> index 4f15685..0f5da49 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
> @@ -1061,8 +1061,9 @@ static int fpga_ipsec_fs_create_fte(struct mlx5_core_dev *dev,
>  
>  	rule->ctx = mlx5_fpga_ipsec_fs_create_sa_ctx(dev, fte, is_egress);
>  	if (IS_ERR(rule->ctx)) {
> +		int err = PTR_ERR(rule->ctx);
>  		kfree(rule);
> -		return PTR_ERR(rule->ctx);
> +		return err;
>  	}
>  
>  	rule->fte = fte;
> -- 
> 2.7.4
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] net/mlx5/core/fpga/ipsec: Fix use-after-free

[Gustavo A. R. Silva]

Hi Yuval,

On 03/22/2018 01:32 PM, Yuval Shaia wrote:
> On Thu, Mar 22, 2018 at 01:03:42PM -0500, Gustavo A. R. Silva wrote:
>> _rule_ is being freed and then dereferenced by accessing rule->ctx
>>
>> Fix this by copying the value returned by PTR_ERR(rule->ctx) into a local
>> variable for its safe use after freeing _rule_
>>
>> Addresses-Coverity-ID: 1466041 ("Read from pointer after free")
>> Fixes: 05564d0ae075 ("net/mlx5: Add flow-steering commands for FPGA IPSec implementation")
>> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
> 
> Prefix should not be that long, a short one as this is enough.
> 

Yeah. Actually, I was suspicious about it.

> net/mlx5: Fix use-after-free
> 
> Besides that - lgtm.
> 
> Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
> 

I'll send v2 with a short prefix and add your Reviewed-by.

Thanks for the feedback.
--
Gustavo