| Message ID | 20231206123719.1963153-1-revest@chromium.org |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:bcd1:0:b0:403:3b70:6f57 with SMTP id r17csp4073497vqy;
Wed, 6 Dec 2023 04:37:35 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IHnKLPk0z+3OCb42eSMUBdi7VL9yweGjtTtzTyiJ/MCQi/pW5QBeaeTzizD+gnW64bVgvlK
X-Received: by 2002:a17:90b:384e:b0:286:9464:1bc9 with SMTP id
nl14-20020a17090b384e00b0028694641bc9mr809995pjb.26.1701866255242;
Wed, 06 Dec 2023 04:37:35 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1701866255; cv=none;
d=google.com; s=arc-20160816;
b=aIv5jteBd7NmXm8hkFGYO0oXXO62W4qFS87yPQwx00uZEvblJOdxVMmphL29+xkSmc
VslB6VAPwHS3xEHyw86MXMsVo2YXbzgklPZqby6Nj+/kt1btCKCktv0CQIupGq0EfxQC
4fxvomO4lIqgHOQvGpV3WpQdBl4PftGEASN9sovAUX8Hdi5TB+KTEyytjgkpoYjriptm
gjvLBRMTKqu/mC834ZPgOXljyNzIlUT4ID2TxanfDxBSSYKNIxy7L3fFj21WcOTLht9p
64CbUGjau1cFzPxTewWAumeuwhRHHu1Uzap8wQm4fshgPBty2YdBASs7CMCGx+H5qf4n
vVCQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=jz+VDB9IuC8ai+mZOJOJXmrBtxu8BlNDpDW3sPbwSdg=;
fh=XHWT7lHcZw3u4RUWPMXDCu0MkU+Za50DAJTzpXbhfKI=;
b=rkyjm1V5gS54d3EOpGu8POzvY4EYcgQoPrWzcOM/0qHUmAWs+MAXs5BvNT6Ne3Vyft
q7NKq+w4FtamDa++/Xglm9OtP4dFC8vEUj176lG39iIdohJh0uvQN1pV82NpmK+LcVBk
e/iK7bpKg7RUHlDnFDWdZM9K5DcTfvnO3Ct+vLFuuIZCv9dP0dIwzglO5GHNoDsVlFq4
Tj+DDxfIaQLPj9txrKKMEBpnkXOHXVd7xW1x+Q2m3uhULO6VGM5OqvcyVEMAR3JkYK1b
HAqWq/FdmOhFUFudbhDVkd+HfFTFmOgfGHxVV/groO41FAIJ0HzFJk7PJGjJEoY4zpO8
CD4Q==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@chromium.org header.s=google header.b=TxQ8Mjo+;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:7 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7])
by mx.google.com with ESMTPS id
f10-20020a17090ab94a00b00288654f292esi1431911pjw.20.2023.12.06.04.37.34
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 06 Dec 2023 04:37:35 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:7 as permitted sender)
client-ip=2620:137:e000::3:7;
Authentication-Results: mx.google.com;
dkim=pass header.i=@chromium.org header.s=google header.b=TxQ8Mjo+;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:7 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by snail.vger.email (Postfix) with ESMTP id 1CAB2802A722;
Wed, 6 Dec 2023 04:37:34 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1378329AbjLFMhT (ORCPT <rfc822;pusanteemu@gmail.com>
+ 99 others); Wed, 6 Dec 2023 07:37:19 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35570 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1378286AbjLFMhS (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 6 Dec 2023 07:37:18 -0500
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com
[IPv6:2a00:1450:4864:20::436])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8B0AED3
for <linux-kernel@vger.kernel.org>;
Wed, 6 Dec 2023 04:37:24 -0800 (PST)
Received: by mail-wr1-x436.google.com with SMTP id
ffacd0b85a97d-3333074512bso381753f8f.1
for <linux-kernel@vger.kernel.org>;
Wed, 06 Dec 2023 04:37:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=chromium.org; s=google; t=1701866243; x=1702471043;
darn=vger.kernel.org;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=jz+VDB9IuC8ai+mZOJOJXmrBtxu8BlNDpDW3sPbwSdg=;
b=TxQ8Mjo+LbP/ynwQnqWNEY3XvKx/uhIVob6xcE9KMNRyaoc/o5PL+KKE3Iic9NJ/OI
TtQjSOTucUAKyBs+4TK64U7TvPbd6UVEc2Ftops4WrPZ4oIJXPsig8qwn4jaEo3oJIC2
MKlbuRKw4rfAUEqdUMtPQTwrZdAsZnZ7E0UXA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1701866243; x=1702471043;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=jz+VDB9IuC8ai+mZOJOJXmrBtxu8BlNDpDW3sPbwSdg=;
b=pMZMaJ3IE2LHCe+6tI9nuVh0bxKQIsyvvAcnSbM5atv7PcI8PuVK2EOE3oQOuIeKDe
DHfmB4TeEKKWO8xuotJtYp6QJPjxFBvXBg2pLTiRijTfZIz+rirgbX8o0nLGOQf2swpD
z3GEHDA14hS+UD+a3MZwQ7qGORjlnCt2cafNcC8p9d9U5NSsb4e/keqrB/hZ2PE6E2vA
HFAQBSjx7bWJviiGOvAR6jIG6IJgmIS/XvR5pxLWClFBCKYbUdDioQ0n2T/Pt372R1EP
CVeOm+1hlrbJTkTGv/lNwJv+VHUPbW6sBmb4/9ZYjxFlgWtkve0A5RDZvJQ0eY7U3/1t
Bc9g==
X-Gm-Message-State: AOJu0YzlnGuRwoP2OsdRUKqEtvjOFlrHCOYuxP8L2gaDH0l5YNLyX78f
et9Io+DRo1uDCF0TO8JocLXgnQ==
X-Received: by 2002:a5d:424e:0:b0:333:2fd7:95f5 with SMTP id
s14-20020a5d424e000000b003332fd795f5mr496465wrr.48.1701866242861;
Wed, 06 Dec 2023 04:37:22 -0800 (PST)
Received: from revest.zrh.corp.google.com
([2a00:79e0:9d:6:628b:53d7:2bbf:7988])
by smtp.gmail.com with ESMTPSA id
q15-20020a056000136f00b0033332524235sm14005573wrz.82.2023.12.06.04.37.21
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 06 Dec 2023 04:37:22 -0800 (PST)
From: Florent Revest <revest@chromium.org>
To: netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: jiri@resnulli.us, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com,
Florent Revest <revest@chromium.org>
Subject: [PATCH] team: Fix use-after-free when an option instance allocation
fails
Date: Wed, 6 Dec 2023 13:37:18 +0100
Message-ID: <20231206123719.1963153-1-revest@chromium.org>
X-Mailer: git-send-email 2.43.0.rc2.451.g8631bc7472-goog
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]);
Wed, 06 Dec 2023 04:37:34 -0800 (PST)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1784536110453668768
X-GMAIL-MSGID: 1784536110453668768
|
| Series |
team: Fix use-after-free when an option instance allocation fails
|
|
Commit Message
Florent Revest
Dec. 6, 2023, 12:37 p.m. UTC
In __team_options_register, team_options are allocated and appended to
the team's option_list.
If one option instance allocation fails, the "inst_rollback" cleanup
path frees the previously allocated options but doesn't remove them from
the team's option_list.
This leaves dangling pointers that can be dereferenced later by other
parts of the team driver that iterate over options.
This patch fixes the cleanup path to remove the dangling pointers from
the list.
As far as I can tell, this uaf doesn't have much security implications
since it would be fairly hard to exploit (an attacker would need to make
the allocation of that specific small object fail) but it's still nice
to fix.
Fixes: 80f7c6683fe0 ("team: add support for per-port options")
Signed-off-by: Florent Revest <revest@chromium.org>
---
drivers/net/team/team.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Comments
Wed, Dec 06, 2023 at 01:37:18PM CET, revest@chromium.org wrote: >In __team_options_register, team_options are allocated and appended to >the team's option_list. >If one option instance allocation fails, the "inst_rollback" cleanup >path frees the previously allocated options but doesn't remove them from >the team's option_list. >This leaves dangling pointers that can be dereferenced later by other >parts of the team driver that iterate over options. > >This patch fixes the cleanup path to remove the dangling pointers from >the list. > >As far as I can tell, this uaf doesn't have much security implications >since it would be fairly hard to exploit (an attacker would need to make >the allocation of that specific small object fail) but it's still nice >to fix. > >Fixes: 80f7c6683fe0 ("team: add support for per-port options") >Signed-off-by: Florent Revest <revest@chromium.org> Reviewed-by: Jiri Pirko <jiri@nvidia.com> Thanks!
On Wed, Dec 06, 2023 at 01:37:18PM +0100, Florent Revest wrote: > In __team_options_register, team_options are allocated and appended to > the team's option_list. > If one option instance allocation fails, the "inst_rollback" cleanup > path frees the previously allocated options but doesn't remove them from > the team's option_list. > This leaves dangling pointers that can be dereferenced later by other > parts of the team driver that iterate over options. > > This patch fixes the cleanup path to remove the dangling pointers from > the list. > > As far as I can tell, this uaf doesn't have much security implications > since it would be fairly hard to exploit (an attacker would need to make > the allocation of that specific small object fail) but it's still nice > to fix. > > Fixes: 80f7c6683fe0 ("team: add support for per-port options") > Signed-off-by: Florent Revest <revest@chromium.org> > --- > drivers/net/team/team.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c > index 508d9a392ab18..f575f225d4178 100644 > --- a/drivers/net/team/team.c > +++ b/drivers/net/team/team.c > @@ -281,8 +281,10 @@ static int __team_options_register(struct team *team, > return 0; > > inst_rollback: > - for (i--; i >= 0; i--) > + for (i--; i >= 0; i--) { > __team_option_inst_del_option(team, dst_opts[i]); > + list_del(&dst_opts[i]->list); > + } > > i = option_count; > alloc_rollback: > -- > 2.43.0.rc2.451.g8631bc7472-goog > Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
On Wed, Dec 6, 2023 at 4:05 PM Hangbin Liu <liuhangbin@gmail.com> wrote: > > On Wed, Dec 06, 2023 at 01:37:18PM +0100, Florent Revest wrote: > > In __team_options_register, team_options are allocated and appended to > > the team's option_list. > > If one option instance allocation fails, the "inst_rollback" cleanup > > path frees the previously allocated options but doesn't remove them from > > the team's option_list. > > This leaves dangling pointers that can be dereferenced later by other > > parts of the team driver that iterate over options. > > > > This patch fixes the cleanup path to remove the dangling pointers from > > the list. > > > > As far as I can tell, this uaf doesn't have much security implications > > since it would be fairly hard to exploit (an attacker would need to make > > the allocation of that specific small object fail) but it's still nice > > to fix. > > > > Fixes: 80f7c6683fe0 ("team: add support for per-port options") > > Signed-off-by: Florent Revest <revest@chromium.org> > > Reviewed-by: Hangbin Liu <liuhangbin@gmail.com> Thank you for the quick reviews Hangbin & Jiri, I appreciate! :) I just realized I forgot to CC stable (like I always do... :) maybe I should tattoo it on my arm) Let me know if you'd like a v2 adding: Cc: stable@vger.kernel.org
On Wed, Dec 06, 2023 at 05:31:58PM +0100, Florent Revest wrote: > Thank you for the quick reviews Hangbin & Jiri, I appreciate! :) > > I just realized I forgot to CC stable (like I always do... :) maybe I > should tattoo it on my arm) Let me know if you'd like a v2 adding: > > Cc: stable@vger.kernel.org I think Greg will take care of it. No need to send v2 when there is nothing to change. Thanks Hangbin
Hello: This patch was applied to netdev/net.git (main) by Jakub Kicinski <kuba@kernel.org>: On Wed, 6 Dec 2023 13:37:18 +0100 you wrote: > In __team_options_register, team_options are allocated and appended to > the team's option_list. > If one option instance allocation fails, the "inst_rollback" cleanup > path frees the previously allocated options but doesn't remove them from > the team's option_list. > This leaves dangling pointers that can be dereferenced later by other > parts of the team driver that iterate over options. > > [...] Here is the summary with links: - team: Fix use-after-free when an option instance allocation fails https://git.kernel.org/netdev/net/c/c12296bbecc4 You are awesome, thank you!
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c index 508d9a392ab18..f575f225d4178 100644 --- a/drivers/net/team/team.c +++ b/drivers/net/team/team.c @@ -281,8 +281,10 @@ static int __team_options_register(struct team *team, return 0; inst_rollback: - for (i--; i >= 0; i--) + for (i--; i >= 0; i--) { __team_option_inst_del_option(team, dst_opts[i]); + list_del(&dst_opts[i]->list); + } i = option_count; alloc_rollback: