[PATCH v2] net: enetc: Fix use after free issue in fsl_enetc.c

[PATCH v2] net: enetc: Fix use after free issue in fsl_enetc.c

[Siarhei Yasinski]

If ethernet connected to SFP, like this:

&enetc_port0 {
        phy-connection-type = "sgmii";
        sfp = <&sfp0>;
        managed = "in-band-status";
        status = "okay";
};

Then enetc_config_phy returns -ENODEV and memory containing mdio interface is freeing.
It's better to unregister and free mdio resources.

Signed-off-by: Siarhei Yasinski <siarhei.yasinski@sintecs.eu>
---
 drivers/net/fsl_enetc.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/net/fsl_enetc.c b/drivers/net/fsl_enetc.c
index cd4c2c29a6..d3326054a2 100644
--- a/drivers/net/fsl_enetc.c
+++ b/drivers/net/fsl_enetc.c
@@ -22,6 +22,8 @@
 
 #define ENETC_DRIVER_NAME	"enetc_eth"
 
+static int enetc_remove(struct udevice *dev);
+
 /*
  * sets the MAC address in IERB registers, this setting is persistent and
  * carried over to Linux.
@@ -319,6 +321,7 @@ static int enetc_config_phy(struct udevice *dev)
 static int enetc_probe(struct udevice *dev)
 {
 	struct enetc_priv *priv = dev_get_priv(dev);
+	int ret;
 
 	if (ofnode_valid(dev_ofnode(dev)) && !ofnode_is_available(dev_ofnode(dev))) {
 		enetc_dbg(dev, "interface disabled\n");
@@ -350,7 +353,10 @@ static int enetc_probe(struct udevice *dev)
 
 	enetc_start_pcs(dev);
 
-	return enetc_config_phy(dev);
+	ret = enetc_config_phy(dev);
+	if(ret)
+		enetc_remove(dev);
+	return ret;
 }
 
 /*
-- 
2.25.1

Re: [PATCH v2] net: enetc: Fix use after free issue in fsl_enetc.c

[Ramon Fried]

On Fri, Sep 2, 2022 at 9:35 AM Siarhei Yasinski
<siarhei.yasinski@sintecs.eu> wrote:
>
> If ethernet connected to SFP, like this:
>
> &enetc_port0 {
>         phy-connection-type = "sgmii";
>         sfp = <&sfp0>;
>         managed = "in-band-status";
>         status = "okay";
> };
>
> Then enetc_config_phy returns -ENODEV and memory containing mdio interface is freeing.
What do you mean freeing, can you describe the flow ?

Re: [PATCH v2] net: enetc: Fix use after free issue in fsl_enetc.c

[Siarhei Yasinski]

Hello.

In device_probe function in drivers/core/device.c we see a call of probe function:

        if (drv->probe) {
                ret = drv->probe(dev);
                if (ret)
                        goto fail;
        }

If it returns an error, then the execution path goes to fail label and called device_free function:

fail:
        dev_bic_flags(dev, DM_FLAG_ACTIVATED);

        device_free(dev);

        return ret;

But the freed memory remains in use by mdio, because in enetc_probe function, enetc_start_pcs function is called, which registers mdio:

        struct enetc_priv *priv = dev_get_priv(dev);

                if (!miiphy_get_dev_by_name(priv->imdio.name))
                        mdio_register(&priv->imdio);


From: Ramon Fried <rfried.dev@gmail.com>
Sent: 03 September 2022 00:38
To: Siarhei Yasinski <siarhei.yasinski@sintecs.eu>
Cc: U-Boot Mailing List <u-boot@lists.denx.de>
Subject: Re: [PATCH v2] net: enetc: Fix use after free issue in fsl_enetc.c 
 
[EXTERNAL EMAIL] DO NOT CLICK links or attachments unless you recognise the sender and know the content is safe

On Fri, Sep 2, 2022 at 9:35 AM Siarhei Yasinski
<siarhei.yasinski@sintecs.eu> wrote:
>
> If ethernet connected to SFP, like this:
>
> &enetc_port0 {
>         phy-connection-type = "sgmii";
>         sfp = <&sfp0>;
>         managed = "in-band-status";
>         status = "okay";
> };
>
> Then enetc_config_phy returns -ENODEV and memory containing mdio interface is freeing.
What do you mean freeing, can you describe the flow ?