From patchwork Tue Jan 10 00:29:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1723767 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=WVmEDcyF; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4NrWsh2QgHz23gJ for ; Tue, 10 Jan 2023 11:29:43 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1pF2WF-00015I-PG; Tue, 10 Jan 2023 00:29:35 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1pF2WD-00013P-MH for kernel-team@lists.ubuntu.com; Tue, 10 Jan 2023 00:29:33 +0000 Received: from mail-qk1-f199.google.com (mail-qk1-f199.google.com [209.85.222.199]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 21FBD3F75B for ; Tue, 10 Jan 2023 00:29:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1673310573; bh=hBR653rzolxtOW4rk9XOkfE1+6LJmJNGFOQgn/TGFN0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=WVmEDcyFDYY/45Q15TWh9ujWfwb4d/IOEIpni17jYyHkiOpCl09ecIsDzTLOZ8SHm ISkE8BlRaJ4EnizooHhm9yO0pnNM1h2KQpakFBw8tD7Ptacuq1DVcoqUGSqUNe18FY 1oUpGWWx3w7FfJsBIjHGqyiJwaKYjXT8gVb1cFph1NqRFowrf0aaR48srNVLAlwevr KhdoNTcN7VZyW5wAL3uLNC8v/WQ6/PweO0JdWW/Notbi1oqyPCxN4mtkXOP073laJA 8PYRgHuWi+BCBbrm7J66g7WZ2m1q+n7cPXb18lGRgohOy0wGJ0nZq7U4Cp0h3bFINA TdO/F7S3Wo4XA== Received: by mail-qk1-f199.google.com with SMTP id br6-20020a05620a460600b007021e1a5c48so7594119qkb.6 for ; Mon, 09 Jan 2023 16:29:33 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hBR653rzolxtOW4rk9XOkfE1+6LJmJNGFOQgn/TGFN0=; b=xeO9DtSLUx6uQY48cXHgt7Shc+SAa5mnbFtp3uemo3owP5qRBKtBhq6nE9aEkkypYL MJxgzl5z9hpglwC/gfGRHVwx2EcSSRjl9KjITYYmQz7LNcXRMaURr41y+45nQ1kuXJz+ XwX0CfioyaQD75sJhkhO/buefSK+O3jSU33zU1h4gsrah7TXDsfahRk5FEQH26RkdNM7 T8X8GbgddgB3Z0VbF5YfViT8+uBrQwWaX65SPHkdNUdnIQwzLwjtzhDC46T0rO9V5oyM Tjn+hDTcE0NFUGPim9JBz3pMPm0B9DANy7V3XjJCg9pJYlavH5N2s6GNxUV9r4duIpS8 RXMA== X-Gm-Message-State: AFqh2krwbgd/+ZZujdZk0GNE8WNzaWQoCV4sDCroaXmxh5tJLpAqdhr4 8gA3Vad4poVCUK39a/C53FNtXtUE8/MBltORkhv/j8zbhWrT4DEV8jzhzcjmTJa7kJvt4f8hh0t Twc+O4N0/aYVZ4zsXBb4O8RjTMR+ogk5pbpft4Jla7A== X-Received: by 2002:ad4:4bc3:0:b0:4c6:fa63:60ed with SMTP id l3-20020ad44bc3000000b004c6fa6360edmr87447282qvw.47.1673310571197; Mon, 09 Jan 2023 16:29:31 -0800 (PST) X-Google-Smtp-Source: AMrXdXu+XsrBOl7qPyuh+L8nX5pf8qZWfsavaxa3Al+C836k+7AwOYNe2Q6RgdTuu3ikm6OYwvCylQ== X-Received: by 2002:ad4:4bc3:0:b0:4c6:fa63:60ed with SMTP id l3-20020ad44bc3000000b004c6fa6360edmr87447268qvw.47.1673310570924; Mon, 09 Jan 2023 16:29:30 -0800 (PST) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:a347:42a9:d9b8:1857]) by smtp.gmail.com with ESMTPSA id s1-20020a05620a0bc100b006fa4ac86bfbsm6196968qki.55.2023.01.09.16.29.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Jan 2023 16:29:30 -0800 (PST) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [K][PATCH] nfp: fix use-after-free in area_cache_get() Date: Mon, 9 Jan 2023 19:29:12 -0500 Message-Id: <20230110002912.8565-5-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230110002912.8565-1-yuxuan.luo@canonical.com> References: <20230110002912.8565-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Jialiang Wang area_cache_get() is used to distribute cache->area and set cache->id, and if cache->id is not 0 and cache->area->kref refcount is 0, it will release the cache->area by nfp_cpp_area_release(). area_cache_get() set cache->id before cpp->op->area_init() and nfp_cpp_area_acquire(). But if area_init() or nfp_cpp_area_acquire() fails, the cache->id is is already set but the refcount is not increased as expected. At this time, calling the nfp_cpp_area_release() will cause use-after-free. To avoid the use-after-free, set cache->id after area_init() and nfp_cpp_area_acquire() complete successfully. Note: This vulnerability is triggerable by providing emulated device equipped with specified configuration. BUG: KASAN: use-after-free in nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760) Write of size 4 at addr ffff888005b7f4a0 by task swapper/0/1 Call Trace: nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760) area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:884) Allocated by task 1: nfp_cpp_area_alloc_with_name (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:303) nfp_cpp_area_cache_add (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:802) nfp6000_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:1230) nfp_cpp_from_operations (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:1215) nfp_pci_probe (drivers/net/ethernet/netronome/nfp/nfp_main.c:744) Freed by task 1: kfree (mm/slub.c:4562) area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:873) nfp_cpp_read (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:924 drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:973) nfp_cpp_readl (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cpplib.c:48) Signed-off-by: Jialiang Wang Reviewed-by: Yinjun Zhang Acked-by: Simon Horman Link: https://lore.kernel.org/r/20220810073057.4032-1-wangjialiang0806@163.com Signed-off-by: Jakub Kicinski (cherry picked from commit 02e1a114fdb71e59ee6770294166c30d437bf86a) CVE-2022-3545 Signed-off-by: Yuxuan Luo --- drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c index 34c0d2ddf9ef..a8286d0032d1 100644 --- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c +++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c @@ -874,7 +874,6 @@ area_cache_get(struct nfp_cpp *cpp, u32 id, } /* Adjust the start address to be cache size aligned */ - cache->id = id; cache->addr = addr & ~(u64)(cache->size - 1); /* Re-init to the new ID and address */ @@ -894,6 +893,8 @@ area_cache_get(struct nfp_cpp *cpp, u32 id, return NULL; } + cache->id = id; + exit: /* Adjust offset */ *offset = addr - cache->addr;