IOMMU Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH v3] iommu: fix KASAN use-after-free in iommu_insert_resv_region
@ 2019-11-26 10:27 Eric Auger
  2019-11-26 17:19 ` Jerry Snitselaar
  0 siblings, 1 reply; 2+ messages in thread
From: Eric Auger @ 2019-11-26 10:27 UTC (permalink / raw)
  To: eric.auger.pro, eric.auger, joro, hch, cai, iommu, linux-kernel

In case the new region gets merged into another one, the nr
list node is freed. Checking its type while completing the
merge algorithm leads to a use-after-free. Use new->type
instead.

Fixes: 4dbd258ff63e ("iommu: Revisit iommu_insert_resv_region()
implementation")
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reported-by: Qian Cai <cai@lca.pw>
Cc: Stable <stable@vger.kernel.org> #v5.3+

---

v2 -> v3:
- directly use new->type

v1 -> v2:
- remove spurious new line
---
 drivers/iommu/iommu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index d658c7c6a2ab..285ad4a4c7f2 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -313,7 +313,7 @@ int iommu_insert_resv_region(struct iommu_resv_region *new,
 		phys_addr_t top_end, iter_end = iter->start + iter->length - 1;
 
 		/* no merge needed on elements of different types than @nr */
-		if (iter->type != nr->type) {
+		if (iter->type != new->type) {
 			list_move_tail(&iter->list, &stack);
 			continue;
 		}
-- 
2.20.1

_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH v3] iommu: fix KASAN use-after-free in iommu_insert_resv_region
  2019-11-26 10:27 [PATCH v3] iommu: fix KASAN use-after-free in iommu_insert_resv_region Eric Auger
@ 2019-11-26 17:19 ` Jerry Snitselaar
  0 siblings, 0 replies; 2+ messages in thread
From: Jerry Snitselaar @ 2019-11-26 17:19 UTC (permalink / raw)
  To: Eric Auger; +Cc: linux-kernel, iommu, hch, eric.auger.pro

On Tue Nov 26 19, Eric Auger wrote:
>In case the new region gets merged into another one, the nr
>list node is freed. Checking its type while completing the
>merge algorithm leads to a use-after-free. Use new->type
>instead.
>
>Fixes: 4dbd258ff63e ("iommu: Revisit iommu_insert_resv_region()
>implementation")
>Signed-off-by: Eric Auger <eric.auger@redhat.com>
>Reported-by: Qian Cai <cai@lca.pw>
>Cc: Stable <stable@vger.kernel.org> #v5.3+
>

Minor nit, but should the comment above list_for_each_entry_safe get
updated as well? Other than that, lgtm.

Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>

>---
>
>v2 -> v3:
>- directly use new->type
>
>v1 -> v2:
>- remove spurious new line
>---
> drivers/iommu/iommu.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
>index d658c7c6a2ab..285ad4a4c7f2 100644
>--- a/drivers/iommu/iommu.c
>+++ b/drivers/iommu/iommu.c
>@@ -313,7 +313,7 @@ int iommu_insert_resv_region(struct iommu_resv_region *new,
> 		phys_addr_t top_end, iter_end = iter->start + iter->length - 1;
>
> 		/* no merge needed on elements of different types than @nr */
>-		if (iter->type != nr->type) {
>+		if (iter->type != new->type) {
> 			list_move_tail(&iter->list, &stack);
> 			continue;
> 		}
>-- 
>2.20.1
>
>_______________________________________________
>iommu mailing list
>iommu@lists.linux-foundation.org
>https://lists.linuxfoundation.org/mailman/listinfo/iommu
>

_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-26 10:27 [PATCH v3] iommu: fix KASAN use-after-free in iommu_insert_resv_region Eric Auger
2019-11-26 17:19 ` Jerry Snitselaar

IOMMU Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-iommu/0 linux-iommu/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-iommu linux-iommu/ https://lore.kernel.org/linux-iommu \
		iommu@lists.linux-foundation.org
	public-inbox-index linux-iommu

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.linux-foundation.lists.iommu


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git