Re: [PATCH] nfp: fix use-after-free in area_cache_get()

From: Jakub Kicinski
Date: Mon Aug 08 2022 - 15:16:36 EST

Next message: Paul Moore: "Re: [PATCH v4 0/4] Introduce security_create_user_ns()"
Previous message: Daniel Parks: "[RFC PATCH 6/6] crypto: sa2ul_pka: Add SA2UL PKA driver"
Next in thread: Yinjun Zhang: "RE: [PATCH] nfp: fix use-after-free in area_cache_get()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 6 Aug 2022 22:30:43 +0800 Jialiang Wang wrote:
> area_cache_get() calls cpp->op->area_init() and uses cache->area by
> nfp_cpp_area_priv(area), but in
> nfp_cpp_area_release()->nfp_cpp_area_put()->__release_cpp_area() we
> already freed the cache->area.
>
> To avoid the use-after-free, reallocate a piece of memory for the
> cache->area by nfp_cpp_area_alloc().
>
> Note: This vulnerability is triggerable by providing emulated device
> equipped with specified configuration.
>
> BUG: KASAN: use-after-free in nfp6000_area_init+0x74/0x1d0 [nfp]
> Write of size 4 at addr ffff888005b490a0 by task insmod/226
> Call Trace:
> <TASK>
> dump_stack_lvl+0x33/0x46
> print_report.cold.12+0xb2/0x6b7
> ? nfp6000_area_init+0x74/0x1d0 [nfp]
> kasan_report+0xa5/0x120
> ? nfp6000_area_init+0x74/0x1d0 [nfp]
> nfp6000_area_init+0x74/0x1d0 [nfp]
> area_cache_get.constprop.8+0x2da/0x360 [nfp]

Please provide more of the report, including the allocated at and freed
at sections and run the thing thru stack decode so we get the line
numbers.

Next message: Paul Moore: "Re: [PATCH v4 0/4] Introduce security_create_user_ns()"
Previous message: Daniel Parks: "[RFC PATCH 6/6] crypto: sa2ul_pka: Add SA2UL PKA driver"
Next in thread: Yinjun Zhang: "RE: [PATCH] nfp: fix use-after-free in area_cache_get()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]