[PATCH] ipmi: Prevent use-after-free in deliver

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] ipmi: Prevent use-after-free in deliver_response
@ 2019-01-18 23:10 Fred Klassen
  2019-01-19  8:10 ` Greg Kroah-Hartman (supporter:CHAR and MISC DRIVERS)
  0 siblings, 1 reply; 2+ messages in thread
From: Fred Klassen @ 2019-01-18 23:10 UTC (permalink / raw)
  To: Corey Minyard (supporter:IPMI SUBSYSTEM),
	Arnd Bergmann (supporter:CHAR and MISC DRIVERS),
	Greg Kroah-Hartman (supporter:CHAR and MISC DRIVERS),
	moderated list:IPMI SUBSYSTEM, open list
  Cc: stable

Some IPMI modules (e.g. ibmpex_msg_handler()) will have ipmi_usr_hdlr
handlers that call ipmi_free_recv_msg() directly. This will essentially
kfree(msg), leading to use-after-free.

This does not happen in the ipmi_devintf module, which will queue the
message and run ipmi_free_recv_msg() later.

 BUG: KASAN: use-after-free in deliver_response+0x12f/0x1b0
 Read of size 8 at addr ffff888a7bf20018 by task ksoftirqd/3/27
 CPU: 3 PID: 27 Comm: ksoftirqd/3 Tainted: G           O      4.19.11-amd64-ani99-debug #12.0.1.601133+pv
 Hardware name: AppNeta r1000/X11SPW-TF, BIOS 2.1a-AP 09/17/2018
 Call Trace:
  dump_stack+0x92/0xeb
  print_address_description+0x73/0x290
  kasan_report+0x258/0x380
  deliver_response+0x12f/0x1b0
  ? ipmi_free_recv_msg+0x50/0x50
  deliver_local_response+0xe/0x50
  handle_one_recv_msg+0x37a/0x21d0
  handle_new_recv_msgs+0x1ce/0x440
  ...

 Allocated by task 9885:
  kasan_kmalloc+0xa0/0xd0
  kmem_cache_alloc_trace+0x116/0x290
  ipmi_alloc_recv_msg+0x28/0x70
  i_ipmi_request+0xb4a/0x1640
  ipmi_request_settime+0x1b8/0x1e0
  ...

 Freed by task 27:
  __kasan_slab_free+0x12e/0x180
  kfree+0xe9/0x280
  deliver_response+0x122/0x1b0
  deliver_local_response+0xe/0x50
  handle_one_recv_msg+0x37a/0x21d0
  handle_new_recv_msgs+0x1ce/0x440
  tasklet_action_common.isra.19+0xc4/0x250
  __do_softirq+0x11f/0x51f

Fixes: e86ee2d44b4 ("ipmi: Rework locking and shutdown for hot remove")
Signed-off-by: Fred Klassen <fklassen@appneta.com>

---
 drivers/char/ipmi/ipmi_msghandler.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
index 7fc9612070a1..fbf93c2d6c05 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -883,7 +883,7 @@ static int deliver_response(struct ipmi_smi *intf, struct ipmi_recv_msg *msg)

 		if (user) {
 			user->handler->ipmi_recv_hndl(msg, user->handler_data);
-			release_ipmi_user(msg->user, index);
+			release_ipmi_user(user, index);
 		} else {
 			/* User went away, give up. */
 			ipmi_free_recv_msg(msg);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] ipmi: Prevent use-after-free in deliver_response
  2019-01-18 23:10 [PATCH] ipmi: Prevent use-after-free in deliver_response Fred Klassen
@ 2019-01-19  8:10 ` Greg Kroah-Hartman (supporter:CHAR and MISC DRIVERS)
  0 siblings, 0 replies; 2+ messages in thread
From: Greg Kroah-Hartman (supporter:CHAR and MISC DRIVERS) @ 2019-01-19  8:10 UTC (permalink / raw)
  To: Fred Klassen
  Cc: Corey Minyard (supporter:IPMI SUBSYSTEM),
	Arnd Bergmann (supporter:CHAR and MISC DRIVERS),
	moderated list:IPMI SUBSYSTEM, open list, stable

On Fri, Jan 18, 2019 at 03:10:39PM -0800, Fred Klassen wrote:
> Some IPMI modules (e.g. ibmpex_msg_handler()) will have ipmi_usr_hdlr
> handlers that call ipmi_free_recv_msg() directly. This will essentially
> kfree(msg), leading to use-after-free.
> 
> This does not happen in the ipmi_devintf module, which will queue the
> message and run ipmi_free_recv_msg() later.
> 
>  BUG: KASAN: use-after-free in deliver_response+0x12f/0x1b0
>  Read of size 8 at addr ffff888a7bf20018 by task ksoftirqd/3/27
>  CPU: 3 PID: 27 Comm: ksoftirqd/3 Tainted: G           O      4.19.11-amd64-ani99-debug #12.0.1.601133+pv
>  Hardware name: AppNeta r1000/X11SPW-TF, BIOS 2.1a-AP 09/17/2018
>  Call Trace:
>   dump_stack+0x92/0xeb
>   print_address_description+0x73/0x290
>   kasan_report+0x258/0x380
>   deliver_response+0x12f/0x1b0
>   ? ipmi_free_recv_msg+0x50/0x50
>   deliver_local_response+0xe/0x50
>   handle_one_recv_msg+0x37a/0x21d0
>   handle_new_recv_msgs+0x1ce/0x440
>   ...
> 
>  Allocated by task 9885:
>   kasan_kmalloc+0xa0/0xd0
>   kmem_cache_alloc_trace+0x116/0x290
>   ipmi_alloc_recv_msg+0x28/0x70
>   i_ipmi_request+0xb4a/0x1640
>   ipmi_request_settime+0x1b8/0x1e0
>   ...
> 
>  Freed by task 27:
>   __kasan_slab_free+0x12e/0x180
>   kfree+0xe9/0x280
>   deliver_response+0x122/0x1b0
>   deliver_local_response+0xe/0x50
>   handle_one_recv_msg+0x37a/0x21d0
>   handle_new_recv_msgs+0x1ce/0x440
>   tasklet_action_common.isra.19+0xc4/0x250
>   __do_softirq+0x11f/0x51f
> 
> Fixes: e86ee2d44b4 ("ipmi: Rework locking and shutdown for hot remove")
> Signed-off-by: Fred Klassen <fklassen@appneta.com>
> 
> ---
>  drivers/char/ipmi/ipmi_msghandler.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

<formletter>

This is not the correct way to submit patches for inclusion in the
stable kernel tree.  Please read:
    https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.

</formletter>

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2019-01-19  8:10 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-01-18 23:10 [PATCH] ipmi: Prevent use-after-free in deliver_response Fred Klassen
2019-01-19  8:10 ` Greg Kroah-Hartman (supporter:CHAR and MISC DRIVERS)

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.