All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] rapidio: fix possible UAF when kfifo_alloc() fails
@ 2022-11-17  2:18 Wang Weiyang
  2022-11-17 20:45 ` Andrew Morton
  0 siblings, 1 reply; 3+ messages in thread
From: Wang Weiyang @ 2022-11-17  2:18 UTC (permalink / raw)
  To: mporter, alex.bou9, akpm, yangyingliang, jakobkoschel, jhubbard,
	error27, wangweiyang2
  Cc: linux-kernel

If kfifo_alloc() fails in mport_cdev_open(), goto err_fifo and just free
priv. But priv is still in the chdev->file_list, then list traversal
may cause UAF. This fixes the following smatch warning:

drivers/rapidio/devices/rio_mport_cdev.c:1930 mport_cdev_open() warn: '&priv->list' not removed from list

Fixes: e8de370188d0 ("rapidio: add mport char device driver")
Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com>
---
 drivers/rapidio/devices/rio_mport_cdev.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
index 3cc83997a1f8..c66b2c552b38 100644
--- a/drivers/rapidio/devices/rio_mport_cdev.c
+++ b/drivers/rapidio/devices/rio_mport_cdev.c
@@ -1930,6 +1930,9 @@ static int mport_cdev_open(struct inode *inode, struct file *filp)
 	filp->private_data = priv;
 	goto out;
 err_fifo:
+	mutex_lock(&chdev->file_mutex);
+	list_del(&priv->list);
+	mutex_unlock(&chdev->file_mutex);
 	kfree(priv);
 out:
 	return ret;
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] rapidio: fix possible UAF when kfifo_alloc() fails
  2022-11-17  2:18 [PATCH] rapidio: fix possible UAF when kfifo_alloc() fails Wang Weiyang
@ 2022-11-17 20:45 ` Andrew Morton
  2022-11-18  9:52   ` wangweiyang
  0 siblings, 1 reply; 3+ messages in thread
From: Andrew Morton @ 2022-11-17 20:45 UTC (permalink / raw)
  To: Wang Weiyang
  Cc: mporter, alex.bou9, yangyingliang, jakobkoschel, jhubbard,
	error27, linux-kernel

On Thu, 17 Nov 2022 10:18:02 +0800 Wang Weiyang <wangweiyang2@huawei.com> wrote:

> If kfifo_alloc() fails in mport_cdev_open(), goto err_fifo and just free
> priv. But priv is still in the chdev->file_list, then list traversal
> may cause UAF. This fixes the following smatch warning:
> 
> drivers/rapidio/devices/rio_mport_cdev.c:1930 mport_cdev_open() warn: '&priv->list' not removed from list
> 
> Fixes: e8de370188d0 ("rapidio: add mport char device driver")
> Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com>
> ---
>  drivers/rapidio/devices/rio_mport_cdev.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
> index 3cc83997a1f8..c66b2c552b38 100644
> --- a/drivers/rapidio/devices/rio_mport_cdev.c
> +++ b/drivers/rapidio/devices/rio_mport_cdev.c
> @@ -1930,6 +1930,9 @@ static int mport_cdev_open(struct inode *inode, struct file *filp)
>  	filp->private_data = priv;
>  	goto out;
>  err_fifo:
> +	mutex_lock(&chdev->file_mutex);
> +	list_del(&priv->list);
> +	mutex_unlock(&chdev->file_mutex);
>  	kfree(priv);
>  out:
>  	return ret;

Surely it would be better to avoid adding the new instance onto the
list until the new instance has been fully initialized?


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] rapidio: fix possible UAF when kfifo_alloc() fails
  2022-11-17 20:45 ` Andrew Morton
@ 2022-11-18  9:52   ` wangweiyang
  0 siblings, 0 replies; 3+ messages in thread
From: wangweiyang @ 2022-11-18  9:52 UTC (permalink / raw)
  To: Andrew Morton
  Cc: mporter, alex.bou9, yangyingliang, jakobkoschel, jhubbard,
	error27, linux-kernel

On 2022/11/18 4:45, Andrew Morton wrote:
> On Thu, 17 Nov 2022 10:18:02 +0800 Wang Weiyang <wangweiyang2@huawei.com> wrote:
> 
>> If kfifo_alloc() fails in mport_cdev_open(), goto err_fifo and just free
>> priv. But priv is still in the chdev->file_list, then list traversal
>> may cause UAF. This fixes the following smatch warning:
>>
>> drivers/rapidio/devices/rio_mport_cdev.c:1930 mport_cdev_open() warn: '&priv->list' not removed from list
>>
>> Fixes: e8de370188d0 ("rapidio: add mport char device driver")
>> Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com>
>> ---
>>  drivers/rapidio/devices/rio_mport_cdev.c | 3 +++
>>  1 file changed, 3 insertions(+)
>>
>> diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
>> index 3cc83997a1f8..c66b2c552b38 100644
>> --- a/drivers/rapidio/devices/rio_mport_cdev.c
>> +++ b/drivers/rapidio/devices/rio_mport_cdev.c
>> @@ -1930,6 +1930,9 @@ static int mport_cdev_open(struct inode *inode, struct file *filp)
>>  	filp->private_data = priv;
>>  	goto out;
>>  err_fifo:
>> +	mutex_lock(&chdev->file_mutex);
>> +	list_del(&priv->list);
>> +	mutex_unlock(&chdev->file_mutex);
>>  	kfree(priv);
>>  out:
>>  	return ret;
> 
> Surely it would be better to avoid adding the new instance onto the
> list until the new instance has been fully initialized?
> 

Thanks for your review. I'll send out a v2 patch later.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2022-11-18  9:53 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-17  2:18 [PATCH] rapidio: fix possible UAF when kfifo_alloc() fails Wang Weiyang
2022-11-17 20:45 ` Andrew Morton
2022-11-18  9:52   ` wangweiyang

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.