Re: [PATCH] [v2] qed: Fix a potential use-after-free in qed_cxt_tables_alloc

From: Przemek Kitszel
Date: Thu Dec 07 2023 - 04:55:18 EST

Next message: syzbot: "[syzbot] Monthly gfs2 report (Dec 2023)"
Previous message: Linus Walleij: "Re: [PATCH v1 0/5] pinctrl: Use struct pingroup and PINCTRL_PINGROUP()"
In reply to: Dinghao Liu: "[PATCH] [v2] qed: Fix a potential use-after-free in qed_cxt_tables_alloc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 12/7/23 10:36, Dinghao Liu wrote:

qed_ilt_shadow_alloc() will call qed_ilt_shadow_free() to
free p_hwfn->p_cxt_mngr->ilt_shadow on error. However,
qed_cxt_tables_alloc() accesses the freed pointer on failure
of qed_ilt_shadow_alloc() through calling qed_cxt_mngr_free(),
which may lead to use-after-free. Fix this issue by setting
p_hwfn->p_cxt_mngr->ilt_shadow to NULL in qed_ilt_shadow_free().

Fixes: fe56b9e6a8d9 ("qed: Add module with basic common support")
Signed-off-by: Dinghao Liu <dinghao.liu@xxxxxxxxxx>
---

Changelog:

For future submissions please also provide links to previous versions
(would be to v1 in this case). No need to add this now for this one.

v2: -Change the bug type from double-free to use-after-free.
-Move the null check against p_mngr->ilt_shadow to the beginning
of the function qed_ilt_shadow_free().
-When kcalloc() fails in qed_ilt_shadow_alloc(), just return
because there is nothing to free.
---
drivers/net/ethernet/qlogic/qed/qed_cxt.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)

Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@xxxxxxxxx>

Next message: syzbot: "[syzbot] Monthly gfs2 report (Dec 2023)"
Previous message: Linus Walleij: "Re: [PATCH v1 0/5] pinctrl: Use struct pingroup and PINCTRL_PINGROUP()"
In reply to: Dinghao Liu: "[PATCH] [v2] qed: Fix a potential use-after-free in qed_cxt_tables_alloc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]