[PATCH] [v2] qed: Fix a potential use-after-free in qed_cxt_tables

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] [v2] qed: Fix a potential use-after-free in qed_cxt_tables_alloc
@ 2023-12-07  9:36 Dinghao Liu
  2023-12-07  9:55 ` Przemek Kitszel
  2023-12-08 23:59 ` Jakub Kicinski
  0 siblings, 2 replies; 4+ messages in thread
From: Dinghao Liu @ 2023-12-07  9:36 UTC (permalink / raw)
  To: dinghao.liu
  Cc: Ariel Elior, Manish Chopra, David S. Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni, Yuval Mintz, netdev, linux-kernel

qed_ilt_shadow_alloc() will call qed_ilt_shadow_free() to
free p_hwfn->p_cxt_mngr->ilt_shadow on error. However,
qed_cxt_tables_alloc() accesses the freed pointer on failure
of qed_ilt_shadow_alloc() through calling qed_cxt_mngr_free(),
which may lead to use-after-free. Fix this issue by setting
p_hwfn->p_cxt_mngr->ilt_shadow to NULL in qed_ilt_shadow_free().

Fixes: fe56b9e6a8d9 ("qed: Add module with basic common support")
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
---

Changelog:

v2: -Change the bug type from double-free to use-after-free.
    -Move the null check against p_mngr->ilt_shadow to the beginning
     of the function qed_ilt_shadow_free().
    -When kcalloc() fails in qed_ilt_shadow_alloc(), just return
     because there is nothing to free.
---
 drivers/net/ethernet/qlogic/qed/qed_cxt.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ethernet/qlogic/qed/qed_cxt.c b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
index 65e20693c549..911e0c0d3563 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
@@ -921,9 +921,12 @@ static void qed_ilt_shadow_free(struct qed_hwfn *p_hwfn)
 	struct qed_cxt_mngr *p_mngr = p_hwfn->p_cxt_mngr;
 	u32 ilt_size, i;
 
+	if (!p_mngr->ilt_shadow)
+		return;
+
 	ilt_size = qed_cxt_ilt_shadow_size(p_cli);
 
-	for (i = 0; p_mngr->ilt_shadow && i < ilt_size; i++) {
+	for (i = 0; i < ilt_size; i++) {
 		struct phys_mem_desc *p_dma = &p_mngr->ilt_shadow[i];
 
 		if (p_dma->virt_addr)
@@ -933,6 +936,7 @@ static void qed_ilt_shadow_free(struct qed_hwfn *p_hwfn)
 		p_dma->virt_addr = NULL;
 	}
 	kfree(p_mngr->ilt_shadow);
+	p_hwfn->p_cxt_mngr->ilt_shadow = NULL;
 }
 
 static int qed_ilt_blk_alloc(struct qed_hwfn *p_hwfn,
@@ -995,10 +999,8 @@ static int qed_ilt_shadow_alloc(struct qed_hwfn *p_hwfn)
 	size = qed_cxt_ilt_shadow_size(clients);
 	p_mngr->ilt_shadow = kcalloc(size, sizeof(struct phys_mem_desc),
 				     GFP_KERNEL);
-	if (!p_mngr->ilt_shadow) {
-		rc = -ENOMEM;
-		goto ilt_shadow_fail;
-	}
+	if (!p_mngr->ilt_shadow)
+		return -ENOMEM;
 
 	DP_VERBOSE(p_hwfn, QED_MSG_ILT,
 		   "Allocated 0x%x bytes for ilt shadow\n",
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] [v2] qed: Fix a potential use-after-free in qed_cxt_tables_alloc
  2023-12-07  9:36 [PATCH] [v2] qed: Fix a potential use-after-free in qed_cxt_tables_alloc Dinghao Liu
@ 2023-12-07  9:55 ` Przemek Kitszel
  2023-12-08 23:59 ` Jakub Kicinski
  1 sibling, 0 replies; 4+ messages in thread
From: Przemek Kitszel @ 2023-12-07  9:55 UTC (permalink / raw)
  To: Dinghao Liu
  Cc: Ariel Elior, Manish Chopra, David S. Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni, Yuval Mintz, netdev, linux-kernel

On 12/7/23 10:36, Dinghao Liu wrote:
> qed_ilt_shadow_alloc() will call qed_ilt_shadow_free() to
> free p_hwfn->p_cxt_mngr->ilt_shadow on error. However,
> qed_cxt_tables_alloc() accesses the freed pointer on failure
> of qed_ilt_shadow_alloc() through calling qed_cxt_mngr_free(),
> which may lead to use-after-free. Fix this issue by setting
> p_hwfn->p_cxt_mngr->ilt_shadow to NULL in qed_ilt_shadow_free().
> 
> Fixes: fe56b9e6a8d9 ("qed: Add module with basic common support")
> Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
> ---
> 
> Changelog:

For future submissions please also provide links to previous versions
(would be to v1 in this case). No need to add this now for this one.

> 
> v2: -Change the bug type from double-free to use-after-free.
>      -Move the null check against p_mngr->ilt_shadow to the beginning
>       of the function qed_ilt_shadow_free().
>      -When kcalloc() fails in qed_ilt_shadow_alloc(), just return
>       because there is nothing to free.
> ---
>   drivers/net/ethernet/qlogic/qed/qed_cxt.c | 12 +++++++-----
>   1 file changed, 7 insertions(+), 5 deletions(-)
> 


Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] [v2] qed: Fix a potential use-after-free in qed_cxt_tables_alloc
  2023-12-07  9:36 [PATCH] [v2] qed: Fix a potential use-after-free in qed_cxt_tables_alloc Dinghao Liu
  2023-12-07  9:55 ` Przemek Kitszel
@ 2023-12-08 23:59 ` Jakub Kicinski
  2023-12-09 12:40   ` dinghao.liu
  1 sibling, 1 reply; 4+ messages in thread
From: Jakub Kicinski @ 2023-12-08 23:59 UTC (permalink / raw)
  To: Dinghao Liu
  Cc: Ariel Elior, Manish Chopra, David S. Miller, Eric Dumazet,
	Paolo Abeni, Yuval Mintz, netdev, linux-kernel

On Thu,  7 Dec 2023 17:36:06 +0800 Dinghao Liu wrote:
> v2: -Change the bug type from double-free to use-after-free.
>     -Move the null check against p_mngr->ilt_shadow to the beginning
>      of the function qed_ilt_shadow_free().
>     -When kcalloc() fails in qed_ilt_shadow_alloc(), just return
>      because there is nothing to free.

This refactoring is not acceptable as part of a fix, sorry.

> @@ -933,6 +936,7 @@ static void qed_ilt_shadow_free(struct qed_hwfn *p_hwfn)
>  		p_dma->virt_addr = NULL;
>  	}
>  	kfree(p_mngr->ilt_shadow);
> +	p_hwfn->p_cxt_mngr->ilt_shadow = NULL;

Why do you dereference p_hwfn here?
Seems more natural to use:

	p_mngr->ilt_shadow = NULL;

since that's the exact pointer that was passed to free.
-- 
pw-bot: cr

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] [v2] qed: Fix a potential use-after-free in qed_cxt_tables_alloc
  2023-12-08 23:59 ` Jakub Kicinski
@ 2023-12-09 12:40   ` dinghao.liu
  0 siblings, 0 replies; 4+ messages in thread
From: dinghao.liu @ 2023-12-09 12:40 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: Ariel Elior, Manish Chopra, David S. Miller, Eric Dumazet,
	Paolo Abeni, Yuval Mintz, netdev, linux-kernel

> On Thu,  7 Dec 2023 17:36:06 +0800 Dinghao Liu wrote:
> > v2: -Change the bug type from double-free to use-after-free.
> >     -Move the null check against p_mngr->ilt_shadow to the beginning
> >      of the function qed_ilt_shadow_free().
> >     -When kcalloc() fails in qed_ilt_shadow_alloc(), just return
> >      because there is nothing to free.
> 
> This refactoring is not acceptable as part of a fix, sorry.
> 
> > @@ -933,6 +936,7 @@ static void qed_ilt_shadow_free(struct qed_hwfn *p_hwfn)
> >  		p_dma->virt_addr = NULL;
> >  	}
> >  	kfree(p_mngr->ilt_shadow);
> > +	p_hwfn->p_cxt_mngr->ilt_shadow = NULL;
> 
> Why do you dereference p_hwfn here?
> Seems more natural to use:
> 
> 	p_mngr->ilt_shadow = NULL;
> 
> since that's the exact pointer that was passed to free.
> -- 
> pw-bot: cr

I will resend a new patch to fix this, thanks!

Regards,
Dinghao

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2023-12-09 12:41 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-12-07  9:36 [PATCH] [v2] qed: Fix a potential use-after-free in qed_cxt_tables_alloc Dinghao Liu
2023-12-07  9:55 ` Przemek Kitszel
2023-12-08 23:59 ` Jakub Kicinski
2023-12-09 12:40   ` dinghao.liu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).