Re: [PATCH] net: dpaa2-eth: fix use-after-free in dpaa2_eth_remove

From: Pavel Skripkin
Date: Tue Nov 16 2021 - 00:48:28 EST

Next message: zhaoxiao: "[PATCH] drm/radeon:WARNING opportunity for max()"
Previous message: Viresh Kumar: "Re: [PATCH] cpufreq: freq_table: Initialize cpuinfo.max_freq to correct max frequency."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11/16/21 04:27, Jakub Kicinski wrote:

I'd ignore that path, it's just special casing that's supposed to keep
the driver-visible API sane. Nobody should be touching netdev past
free_netdev(). Actually if you can it'd be interesting to add checks
for using whatever netdev_priv(ndev) returned past free_netdev(ndev).

Most UAFs that come to mind from the past were people doing something
like:

struct my_priv *mine = netdev_priv(ndev);

netdev_unregister(ndev);
free_netdev(ndev);

free(mine->bla); /* UAF, free_netdev() frees the priv */

I've implemented this checker couple of months ago. The latest smatch (v1.72) should warn about this type of bugs. All reported bugs are fixed already :)

My checker warns about using priv pointer after free_netdev() and free_candev() calls. There are a few more wrappers like free_sja1000dev(), so it worth to add them to check list too. Will add them today later

Important thing, that there are complex situations like

struct priv *priv = get_priv_from_smth(smth);

free_netdev(priv->netdev);
clean_up_priv(priv);

and for now I have no idea how to handle it (ex: ems_usb_disconnect).

With regards,
Pavel Skripkin

Next message: zhaoxiao: "[PATCH] drm/radeon:WARNING opportunity for max()"
Previous message: Viresh Kumar: "Re: [PATCH] cpufreq: freq_table: Initialize cpuinfo.max_freq to correct max frequency."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]