[PATCH v4 0/3] Fix several use after free bugs

[PATCH v4 0/3] Fix several use after free bugs

[Vincent Mailhol]

This series fix three bugs which all have the same root cause.

When calling netif_rx(skb) and its variants, the skb will eventually
get consumed (or freed) and thus it is unsafe to dereference it after
the call returns.

This remark especially applies to any variable with aliases the skb
memory which is the case of the can(fd)_frame.

The pattern is as this:
    skb = alloc_can_skb(dev, &cf);
    /* Do stuff */
    netif_rx(skb);
    stats->rx_bytes += cf->len;

Increasing the stats should be done *before* the call to netif_rx()
while the skb is still safe to use.

Changes since v3:
  - Patch 1/3: move the comments for upstream after the --- scissors

Changes since v2:
  - rebase on net/master
  - Patch 1/3: Added a comment towards upstream to inform about a
    conflict which will occur when net-next and net are merged
Ref: https://lore.kernel.org/linux-can/20210120085356.m7nabbw5zhy7prpo@hardanger.blackshift.org/

Changes since v1:
  - fix a silly typo in patch 2/3 (variable len was declared twice...)

Vincent Mailhol (3):
  can: dev: can_restart: fix use after free bug
  can: vxcan: vxcan_xmit: fix use after free bug
  can: peak_usb: fix use after free bugs

 drivers/net/can/dev.c                      | 4 ++--
 drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 8 ++++----
 drivers/net/can/vxcan.c                    | 6 ++++--
 3 files changed, 10 insertions(+), 8 deletions(-)


base-commit: 9c30ae8398b0813e237bde387d67a7f74ab2db2d
-- 
2.26.2

[PATCH v4 1/3] can: dev: can_restart: fix use after free bug

[Vincent Mailhol]

After calling netif_rx_ni(skb), dereferencing skb is unsafe.
Especially, the can_frame cf which aliases skb memory is accessed
after the netif_rx_ni() in:
      stats->rx_bytes += cf->len;

Reordering the lines solves the issue.

Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
---
*Remark for upstream*
drivers/net/can/dev.c has been moved to drivers/net/can/dev/dev.c in
below commit, please carry the patch forward.
Reference: 3e77f70e7345 ("can: dev: move driver related infrastructure
into separate subdir")
---
 drivers/net/can/dev.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
index 3486704c8a95..8b1ae023cb21 100644
--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -592,11 +592,11 @@ static void can_restart(struct net_device *dev)
 
 	cf->can_id |= CAN_ERR_RESTARTED;
 
-	netif_rx_ni(skb);
-
 	stats->rx_packets++;
 	stats->rx_bytes += cf->len;
 
+	netif_rx_ni(skb);
+
 restart:
 	netdev_dbg(dev, "restarted\n");
 	priv->can_stats.restarts++;
-- 
2.26.2

[PATCH v4 2/3] can: vxcan: vxcan_xmit: fix use after free bug

[Vincent Mailhol]

After calling netif_rx_ni(skb), dereferencing skb is unsafe.
Especially, the canfd_frame cfd which aliases skb memory is accessed
after the netif_rx_ni().

Fixes: a8f820a380a2 ("can: add Virtual CAN Tunnel driver (vxcan)")
Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
---
 drivers/net/can/vxcan.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/can/vxcan.c b/drivers/net/can/vxcan.c
index fa47bab510bb..f9a524c5f6d6 100644
--- a/drivers/net/can/vxcan.c
+++ b/drivers/net/can/vxcan.c
@@ -39,6 +39,7 @@ static netdev_tx_t vxcan_xmit(struct sk_buff *skb, struct net_device *dev)
 	struct net_device *peer;
 	struct canfd_frame *cfd = (struct canfd_frame *)skb->data;
 	struct net_device_stats *peerstats, *srcstats = &dev->stats;
+	u8 len;
 
 	if (can_dropped_invalid_skb(dev, skb))
 		return NETDEV_TX_OK;
@@ -61,12 +62,13 @@ static netdev_tx_t vxcan_xmit(struct sk_buff *skb, struct net_device *dev)
 	skb->dev        = peer;
 	skb->ip_summed  = CHECKSUM_UNNECESSARY;
 
+	len = cfd->len;
 	if (netif_rx_ni(skb) == NET_RX_SUCCESS) {
 		srcstats->tx_packets++;
-		srcstats->tx_bytes += cfd->len;
+		srcstats->tx_bytes += len;
 		peerstats = &peer->stats;
 		peerstats->rx_packets++;
-		peerstats->rx_bytes += cfd->len;
+		peerstats->rx_bytes += len;
 	}
 
 out_unlock:
-- 
2.26.2

[PATCH v4 3/3] can: peak_usb: fix use after free bugs

[Vincent Mailhol]

After calling peak_usb_netif_rx_ni(skb), dereferencing skb is unsafe.
Especially, the can_frame cf which aliases skb memory is accessed
after the peak_usb_netif_rx_ni().

Reordering the lines solves the issue.

Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters")
Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
---
 drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
index 61631f4fd92a..f347ecc79aef 100644
--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
@@ -514,11 +514,11 @@ static int pcan_usb_fd_decode_canmsg(struct pcan_usb_fd_if *usb_if,
 	else
 		memcpy(cfd->data, rm->d, cfd->len);
 
-	peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(rm->ts_low));
-
 	netdev->stats.rx_packets++;
 	netdev->stats.rx_bytes += cfd->len;
 
+	peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(rm->ts_low));
+
 	return 0;
 }
 
@@ -580,11 +580,11 @@ static int pcan_usb_fd_decode_status(struct pcan_usb_fd_if *usb_if,
 	if (!skb)
 		return -ENOMEM;
 
-	peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(sm->ts_low));
-
 	netdev->stats.rx_packets++;
 	netdev->stats.rx_bytes += cf->len;
 
+	peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(sm->ts_low));
+
 	return 0;
 }
 
-- 
2.26.2

Re: [PATCH v4 0/3] Fix several use after free bugs

[Marc Kleine-Budde]

[-- Attachment #1.1: Type: text/plain, Size: 1935 bytes --]

On 1/20/21 12:41 PM, Vincent Mailhol wrote:
> This series fix three bugs which all have the same root cause.
> 
> When calling netif_rx(skb) and its variants, the skb will eventually
> get consumed (or freed) and thus it is unsafe to dereference it after
> the call returns.
> 
> This remark especially applies to any variable with aliases the skb
> memory which is the case of the can(fd)_frame.
> 
> The pattern is as this:
>     skb = alloc_can_skb(dev, &cf);
>     /* Do stuff */
>     netif_rx(skb);
>     stats->rx_bytes += cf->len;
> 
> Increasing the stats should be done *before* the call to netif_rx()
> while the skb is still safe to use.
> 
> Changes since v3:
>   - Patch 1/3: move the comments for upstream after the --- scissors
> 
> Changes since v2:
>   - rebase on net/master
>   - Patch 1/3: Added a comment towards upstream to inform about a
>     conflict which will occur when net-next and net are merged
> Ref: https://lore.kernel.org/linux-can/20210120085356.m7nabbw5zhy7prpo@hardanger.blackshift.org/
> 
> Changes since v1:
>   - fix a silly typo in patch 2/3 (variable len was declared twice...)
> 
> Vincent Mailhol (3):
>   can: dev: can_restart: fix use after free bug
>   can: vxcan: vxcan_xmit: fix use after free bug
>   can: peak_usb: fix use after free bugs
> 
>  drivers/net/can/dev.c                      | 4 ++--
>  drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 8 ++++----
>  drivers/net/can/vxcan.c                    | 6 ++++--
>  3 files changed, 10 insertions(+), 8 deletions(-)

Applied to linux-can-testing. I don't know why 2/3 hasn't made it to the mail
archive yet.

Marc

-- 
Pengutronix e.K.                 | Marc Kleine-Budde           |
Embedded Linux                   | https://www.pengutronix.de  |
Vertretung West/Dortmund         | Phone: +49-231-2826-924     |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-5555 |


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH v4 1/3] can: dev: can_restart: fix use after free bug

[Marc Kleine-Budde]

[-- Attachment #1.1: Type: text/plain, Size: 1047 bytes --]

On 1/20/21 12:41 PM, Vincent Mailhol wrote:
> After calling netif_rx_ni(skb), dereferencing skb is unsafe.
> Especially, the can_frame cf which aliases skb memory is accessed
> after the netif_rx_ni() in:
>       stats->rx_bytes += cf->len;
> 
> Reordering the lines solves the issue.
> 
> Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
> Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
> ---
> *Remark for upstream*
> drivers/net/can/dev.c has been moved to drivers/net/can/dev/dev.c in
> below commit, please carry the patch forward.
> Reference: 3e77f70e7345 ("can: dev: move driver related infrastructure
> into separate subdir")

I've send a pull request to Jakub and David. Let's see what happens :)

Marc

-- 
Pengutronix e.K.                 | Marc Kleine-Budde           |
Embedded Linux                   | https://www.pengutronix.de  |
Vertretung West/Dortmund         | Phone: +49-231-2826-924     |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-5555 |


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH v4 1/3] can: dev: can_restart: fix use after free bug

[Vincent MAILHOL]

On Wed. 20 janv. 2021 at 21:53, Marc Kleine-Budde <mkl@pengutronix.de> wrote:
> On 1/20/21 12:41 PM, Vincent Mailhol wrote:
> > After calling netif_rx_ni(skb), dereferencing skb is unsafe.
> > Especially, the can_frame cf which aliases skb memory is accessed
> > after the netif_rx_ni() in:
> >       stats->rx_bytes += cf->len;
> >
> > Reordering the lines solves the issue.
> >
> > Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
> > Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
> > ---
> > *Remark for upstream*
> > drivers/net/can/dev.c has been moved to drivers/net/can/dev/dev.c in
> > below commit, please carry the patch forward.
> > Reference: 3e77f70e7345 ("can: dev: move driver related infrastructure
> > into separate subdir")
>
> I've send a pull request to Jakub and David. Let's see what happens :)

Thanks!

Yours sincerely,
Vincent

> Marc
>
> --
> Pengutronix e.K.                 | Marc Kleine-Budde           |
> Embedded Linux                   | https://www.pengutronix.de  |
> Vertretung West/Dortmund         | Phone: +49-231-2826-924     |
> Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-5555 |
>

Re: [PATCH v4 0/3] Fix several use after free bugs

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (refs/heads/master):

On Wed, 20 Jan 2021 20:41:34 +0900 you wrote:
> This series fix three bugs which all have the same root cause.
> 
> When calling netif_rx(skb) and its variants, the skb will eventually
> get consumed (or freed) and thus it is unsafe to dereference it after
> the call returns.
> 
> This remark especially applies to any variable with aliases the skb
> memory which is the case of the can(fd)_frame.
> 
> [...]

Here is the summary with links:
  - [v4,1/3] can: dev: can_restart: fix use after free bug
    https://git.kernel.org/netdev/net/c/03f16c5075b2
  - [v4,2/3] can: vxcan: vxcan_xmit: fix use after free bug
    https://git.kernel.org/netdev/net/c/75854cad5d80
  - [v4,3/3] can: peak_usb: fix use after free bugs
    https://git.kernel.org/netdev/net/c/50aca891d7a5

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html