[PATCH v3 0/3] Fix several use after free bugs

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v3 0/3] Fix several use after free bugs
@ 2021-01-20 10:24 Vincent Mailhol
  2021-01-20 10:24 ` [PATCH v3 1/3] can: dev: can_restart: fix use after free bug Vincent Mailhol
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Vincent Mailhol @ 2021-01-20 10:24 UTC (permalink / raw)
  To: Marc Kleine-Budde, Oliver Hartkopp, linux-can
  Cc: netdev, Wolfgang Grandegger, Stephane Grosjean, Loris Fauster,
	Alejandro Concepcion Rodriguez, Dan Carpenter, Vincent Mailhol

This series fix three bugs which all have the same root cause.

When calling netif_rx(skb) and its variants, the skb will eventually
get consumed (or freed) and thus it is unsafe to dereference it after
the call returns.

This remark especially applies to any variable with aliases the skb
memory which is the case of the can(fd)_frame.

The pattern is as this:
    skb = alloc_can_skb(dev, &cf);
    /* Do stuff */
    netif_rx(skb);
    stats->rx_bytes += cf->len;

Increasing the stats should be done *before* the call to netif_rx()
while the skb is still safe to use.

Changes since v2:
  - rebase on net/master
  - Added a comment towards upstream in patch 1/3 to inform about a
    conflict which will occur when net-next and net are merged
Ref: https://lore.kernel.org/linux-can/20210120085356.m7nabbw5zhy7prpo@hardanger.blackshift.org/

Changes since v1:
  - fix a silly typo in patch 2/3 (variable len was declared twice...)

Vincent Mailhol (3):
  can: dev: can_restart: fix use after free bug
  can: vxcan: vxcan_xmit: fix use after free bug
  can: peak_usb: fix use after free bugs

 drivers/net/can/dev.c                      | 4 ++--
 drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 8 ++++----
 drivers/net/can/vxcan.c                    | 6 ++++--
 3 files changed, 10 insertions(+), 8 deletions(-)


base-commit: 9c30ae8398b0813e237bde387d67a7f74ab2db2d
-- 
2.26.2


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH v3 1/3] can: dev: can_restart: fix use after free bug
  2021-01-20 10:24 [PATCH v3 0/3] Fix several use after free bugs Vincent Mailhol
@ 2021-01-20 10:24 ` Vincent Mailhol
  2021-01-20 10:42   ` Dan Carpenter
  2021-01-20 10:24 ` [PATCH v3 2/3] can: vxcan: vxcan_xmit: " Vincent Mailhol
  2021-01-20 10:24 ` [PATCH v3 3/3] can: peak_usb: fix use after free bugs Vincent Mailhol
  2 siblings, 1 reply; 5+ messages in thread
From: Vincent Mailhol @ 2021-01-20 10:24 UTC (permalink / raw)
  To: Marc Kleine-Budde, Oliver Hartkopp, linux-can
  Cc: netdev, Wolfgang Grandegger, Stephane Grosjean, Loris Fauster,
	Alejandro Concepcion Rodriguez, Dan Carpenter, Vincent Mailhol

After calling netif_rx_ni(skb), dereferencing skb is unsafe.
Especially, the can_frame cf which aliases skb memory is accessed
after the netif_rx_ni() in:
      stats->rx_bytes += cf->len;

Reordering the lines solves the issue.

*Remark for upstream*
drivers/net/can/dev.c has been moved to drivers/net/can/dev/dev.c in
below commit, please carry the patch forward.
Reference: 3e77f70e7345 ("can: dev: move driver related infrastructure
into separate subdir")

Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
---
 drivers/net/can/dev.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
index 3486704c8a95..8b1ae023cb21 100644
--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -592,11 +592,11 @@ static void can_restart(struct net_device *dev)
 
 	cf->can_id |= CAN_ERR_RESTARTED;
 
-	netif_rx_ni(skb);
-
 	stats->rx_packets++;
 	stats->rx_bytes += cf->len;
 
+	netif_rx_ni(skb);
+
 restart:
 	netdev_dbg(dev, "restarted\n");
 	priv->can_stats.restarts++;
-- 
2.26.2


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH v3 1/3] can: dev: can_restart: fix use after free bug
  2021-01-20 10:24 ` [PATCH v3 1/3] can: dev: can_restart: fix use after free bug Vincent Mailhol
@ 2021-01-20 10:42   ` Dan Carpenter
  0 siblings, 0 replies; 5+ messages in thread
From: Dan Carpenter @ 2021-01-20 10:42 UTC (permalink / raw)
  To: Vincent Mailhol
  Cc: Marc Kleine-Budde, Oliver Hartkopp, linux-can, netdev,
	Wolfgang Grandegger, Stephane Grosjean, Loris Fauster,
	Alejandro Concepcion Rodriguez

On Wed, Jan 20, 2021 at 07:24:41PM +0900, Vincent Mailhol wrote:
> After calling netif_rx_ni(skb), dereferencing skb is unsafe.
> Especially, the can_frame cf which aliases skb memory is accessed
> after the netif_rx_ni() in:
>       stats->rx_bytes += cf->len;
> 
> Reordering the lines solves the issue.
> 
> *Remark for upstream*
> drivers/net/can/dev.c has been moved to drivers/net/can/dev/dev.c in
> below commit, please carry the patch forward.
> Reference: 3e77f70e7345 ("can: dev: move driver related infrastructure
> into separate subdir")

Put these sorts of comments under the --- so that they aren't included
in the permanent git log.

> 
> Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
> Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
> ---
  ^^^

comment below this line are removed from the git log.

>  drivers/net/can/dev.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH v3 2/3] can: vxcan: vxcan_xmit: fix use after free bug
  2021-01-20 10:24 [PATCH v3 0/3] Fix several use after free bugs Vincent Mailhol
  2021-01-20 10:24 ` [PATCH v3 1/3] can: dev: can_restart: fix use after free bug Vincent Mailhol
@ 2021-01-20 10:24 ` Vincent Mailhol
  2021-01-20 10:24 ` [PATCH v3 3/3] can: peak_usb: fix use after free bugs Vincent Mailhol
  2 siblings, 0 replies; 5+ messages in thread
From: Vincent Mailhol @ 2021-01-20 10:24 UTC (permalink / raw)
  To: Marc Kleine-Budde, Oliver Hartkopp, linux-can
  Cc: netdev, Wolfgang Grandegger, Stephane Grosjean, Loris Fauster,
	Alejandro Concepcion Rodriguez, Dan Carpenter, Vincent Mailhol

After calling netif_rx_ni(skb), dereferencing skb is unsafe.
Especially, the canfd_frame cfd which aliases skb memory is accessed
after the netif_rx_ni().

Fixes: a8f820a380a2 ("can: add Virtual CAN Tunnel driver (vxcan)")
Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
---
 drivers/net/can/vxcan.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/can/vxcan.c b/drivers/net/can/vxcan.c
index fa47bab510bb..f9a524c5f6d6 100644
--- a/drivers/net/can/vxcan.c
+++ b/drivers/net/can/vxcan.c
@@ -39,6 +39,7 @@ static netdev_tx_t vxcan_xmit(struct sk_buff *skb, struct net_device *dev)
 	struct net_device *peer;
 	struct canfd_frame *cfd = (struct canfd_frame *)skb->data;
 	struct net_device_stats *peerstats, *srcstats = &dev->stats;
+	u8 len;
 
 	if (can_dropped_invalid_skb(dev, skb))
 		return NETDEV_TX_OK;
@@ -61,12 +62,13 @@ static netdev_tx_t vxcan_xmit(struct sk_buff *skb, struct net_device *dev)
 	skb->dev        = peer;
 	skb->ip_summed  = CHECKSUM_UNNECESSARY;
 
+	len = cfd->len;
 	if (netif_rx_ni(skb) == NET_RX_SUCCESS) {
 		srcstats->tx_packets++;
-		srcstats->tx_bytes += cfd->len;
+		srcstats->tx_bytes += len;
 		peerstats = &peer->stats;
 		peerstats->rx_packets++;
-		peerstats->rx_bytes += cfd->len;
+		peerstats->rx_bytes += len;
 	}
 
 out_unlock:
-- 
2.26.2


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH v3 3/3] can: peak_usb: fix use after free bugs
  2021-01-20 10:24 [PATCH v3 0/3] Fix several use after free bugs Vincent Mailhol
  2021-01-20 10:24 ` [PATCH v3 1/3] can: dev: can_restart: fix use after free bug Vincent Mailhol
  2021-01-20 10:24 ` [PATCH v3 2/3] can: vxcan: vxcan_xmit: " Vincent Mailhol
@ 2021-01-20 10:24 ` Vincent Mailhol
  2 siblings, 0 replies; 5+ messages in thread
From: Vincent Mailhol @ 2021-01-20 10:24 UTC (permalink / raw)
  To: Marc Kleine-Budde, Oliver Hartkopp, linux-can
  Cc: netdev, Wolfgang Grandegger, Stephane Grosjean, Loris Fauster,
	Alejandro Concepcion Rodriguez, Dan Carpenter, Vincent Mailhol

After calling peak_usb_netif_rx_ni(skb), dereferencing skb is unsafe.
Especially, the can_frame cf which aliases skb memory is accessed
after the peak_usb_netif_rx_ni().

Reordering the lines solves the issue.

Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters")
Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
---
 drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
index 61631f4fd92a..f347ecc79aef 100644
--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
@@ -514,11 +514,11 @@ static int pcan_usb_fd_decode_canmsg(struct pcan_usb_fd_if *usb_if,
 	else
 		memcpy(cfd->data, rm->d, cfd->len);
 
-	peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(rm->ts_low));
-
 	netdev->stats.rx_packets++;
 	netdev->stats.rx_bytes += cfd->len;
 
+	peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(rm->ts_low));
+
 	return 0;
 }
 
@@ -580,11 +580,11 @@ static int pcan_usb_fd_decode_status(struct pcan_usb_fd_if *usb_if,
 	if (!skb)
 		return -ENOMEM;
 
-	peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(sm->ts_low));
-
 	netdev->stats.rx_packets++;
 	netdev->stats.rx_bytes += cf->len;
 
+	peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(sm->ts_low));
+
 	return 0;
 }
 
-- 
2.26.2


^ permalink raw reply related	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-01-20 11:21 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-01-20 10:24 [PATCH v3 0/3] Fix several use after free bugs Vincent Mailhol
2021-01-20 10:24 ` [PATCH v3 1/3] can: dev: can_restart: fix use after free bug Vincent Mailhol
2021-01-20 10:42   ` Dan Carpenter
2021-01-20 10:24 ` [PATCH v3 2/3] can: vxcan: vxcan_xmit: " Vincent Mailhol
2021-01-20 10:24 ` [PATCH v3 3/3] can: peak_usb: fix use after free bugs Vincent Mailhol

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).