* [PATCH v3] iommu: fix KASAN use-after-free in iommu_insert_resv_region
@ 2019-11-26 10:27 Eric Auger
2019-11-26 17:19 ` Jerry Snitselaar
2019-12-16 14:24 ` Qian Cai
0 siblings, 2 replies; 5+ messages in thread
From: Eric Auger @ 2019-11-26 10:27 UTC (permalink / raw)
To: eric.auger.pro, eric.auger, joro, hch, cai, iommu, linux-kernel
In case the new region gets merged into another one, the nr
list node is freed. Checking its type while completing the
merge algorithm leads to a use-after-free. Use new->type
instead.
Fixes: 4dbd258ff63e ("iommu: Revisit iommu_insert_resv_region()
implementation")
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reported-by: Qian Cai <cai@lca.pw>
Cc: Stable <stable@vger.kernel.org> #v5.3+
---
v2 -> v3:
- directly use new->type
v1 -> v2:
- remove spurious new line
---
drivers/iommu/iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index d658c7c6a2ab..285ad4a4c7f2 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -313,7 +313,7 @@ int iommu_insert_resv_region(struct iommu_resv_region *new,
phys_addr_t top_end, iter_end = iter->start + iter->length - 1;
/* no merge needed on elements of different types than @nr */
- if (iter->type != nr->type) {
+ if (iter->type != new->type) {
list_move_tail(&iter->list, &stack);
continue;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v3] iommu: fix KASAN use-after-free in iommu_insert_resv_region
2019-11-26 10:27 [PATCH v3] iommu: fix KASAN use-after-free in iommu_insert_resv_region Eric Auger
@ 2019-11-26 17:19 ` Jerry Snitselaar
2019-12-16 14:24 ` Qian Cai
1 sibling, 0 replies; 5+ messages in thread
From: Jerry Snitselaar @ 2019-11-26 17:19 UTC (permalink / raw)
To: Eric Auger; +Cc: eric.auger.pro, joro, hch, cai, iommu, linux-kernel
On Tue Nov 26 19, Eric Auger wrote:
>In case the new region gets merged into another one, the nr
>list node is freed. Checking its type while completing the
>merge algorithm leads to a use-after-free. Use new->type
>instead.
>
>Fixes: 4dbd258ff63e ("iommu: Revisit iommu_insert_resv_region()
>implementation")
>Signed-off-by: Eric Auger <eric.auger@redhat.com>
>Reported-by: Qian Cai <cai@lca.pw>
>Cc: Stable <stable@vger.kernel.org> #v5.3+
>
Minor nit, but should the comment above list_for_each_entry_safe get
updated as well? Other than that, lgtm.
Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
>---
>
>v2 -> v3:
>- directly use new->type
>
>v1 -> v2:
>- remove spurious new line
>---
> drivers/iommu/iommu.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
>index d658c7c6a2ab..285ad4a4c7f2 100644
>--- a/drivers/iommu/iommu.c
>+++ b/drivers/iommu/iommu.c
>@@ -313,7 +313,7 @@ int iommu_insert_resv_region(struct iommu_resv_region *new,
> phys_addr_t top_end, iter_end = iter->start + iter->length - 1;
>
> /* no merge needed on elements of different types than @nr */
>- if (iter->type != nr->type) {
>+ if (iter->type != new->type) {
> list_move_tail(&iter->list, &stack);
> continue;
> }
>--
>2.20.1
>
>_______________________________________________
>iommu mailing list
>iommu@lists.linux-foundation.org
>https://lists.linuxfoundation.org/mailman/listinfo/iommu
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v3] iommu: fix KASAN use-after-free in iommu_insert_resv_region
2019-11-26 10:27 [PATCH v3] iommu: fix KASAN use-after-free in iommu_insert_resv_region Eric Auger
2019-11-26 17:19 ` Jerry Snitselaar
@ 2019-12-16 14:24 ` Qian Cai
2019-12-16 14:35 ` Auger Eric
1 sibling, 1 reply; 5+ messages in thread
From: Qian Cai @ 2019-12-16 14:24 UTC (permalink / raw)
To: Eric Auger, Andrew Morton, Linus Torvalds
Cc: eric.auger.pro, Joerg Roedel, hch, iommu, linux-kernel
> On Nov 26, 2019, at 5:27 AM, Eric Auger <eric.auger@redhat.com> wrote:
>
> In case the new region gets merged into another one, the nr
> list node is freed. Checking its type while completing the
> merge algorithm leads to a use-after-free. Use new->type
> instead.
>
> Fixes: 4dbd258ff63e ("iommu: Revisit iommu_insert_resv_region()
> implementation")
> Signed-off-by: Eric Auger <eric.auger@redhat.com>
> Reported-by: Qian Cai <cai@lca.pw>
> Cc: Stable <stable@vger.kernel.org> #v5.3+
Looks like Joerg is away for a few weeks. Could Andrew or Linus pick up this
use-after-free?
>
> ---
>
> v2 -> v3:
> - directly use new->type
>
> v1 -> v2:
> - remove spurious new line
> ---
> drivers/iommu/iommu.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
> index d658c7c6a2ab..285ad4a4c7f2 100644
> --- a/drivers/iommu/iommu.c
> +++ b/drivers/iommu/iommu.c
> @@ -313,7 +313,7 @@ int iommu_insert_resv_region(struct iommu_resv_region *new,
> phys_addr_t top_end, iter_end = iter->start + iter->length - 1;
>
> /* no merge needed on elements of different types than @nr */
> - if (iter->type != nr->type) {
> + if (iter->type != new->type) {
> list_move_tail(&iter->list, &stack);
> continue;
> }
> --
> 2.20.1
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v3] iommu: fix KASAN use-after-free in iommu_insert_resv_region
2019-12-16 14:24 ` Qian Cai
@ 2019-12-16 14:35 ` Auger Eric
2019-12-16 17:03 ` Linus Torvalds
0 siblings, 1 reply; 5+ messages in thread
From: Auger Eric @ 2019-12-16 14:35 UTC (permalink / raw)
To: Qian Cai, Andrew Morton, Linus Torvalds
Cc: eric.auger.pro, Joerg Roedel, hch, iommu, linux-kernel
Hi,
On 12/16/19 3:24 PM, Qian Cai wrote:
>
>
>> On Nov 26, 2019, at 5:27 AM, Eric Auger <eric.auger@redhat.com> wrote:
>>
>> In case the new region gets merged into another one, the nr
>> list node is freed. Checking its type while completing the
>> merge algorithm leads to a use-after-free. Use new->type
>> instead.
>>
>> Fixes: 4dbd258ff63e ("iommu: Revisit iommu_insert_resv_region()
>> implementation")
>> Signed-off-by: Eric Auger <eric.auger@redhat.com>
>> Reported-by: Qian Cai <cai@lca.pw>
>> Cc: Stable <stable@vger.kernel.org> #v5.3+
>
>
> Looks like Joerg is away for a few weeks. Could Andrew or Linus pick up this
> use-after-free?
Thanks for the heads up. Indeed I was wondering why it hasn't been taken
yet.
Note the right version to pick up is the v4, reviewed by Jerry:
https://www.mail-archive.com/iommu@lists.linux-foundation.org/msg36226.html
Thanks
Eric
>
>>
>> ---
>>
>> v2 -> v3:
>> - directly use new->type
>>
>> v1 -> v2:
>> - remove spurious new line
>> ---
>> drivers/iommu/iommu.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
>> index d658c7c6a2ab..285ad4a4c7f2 100644
>> --- a/drivers/iommu/iommu.c
>> +++ b/drivers/iommu/iommu.c
>> @@ -313,7 +313,7 @@ int iommu_insert_resv_region(struct iommu_resv_region *new,
>> phys_addr_t top_end, iter_end = iter->start + iter->length - 1;
>>
>> /* no merge needed on elements of different types than @nr */
>> - if (iter->type != nr->type) {
>> + if (iter->type != new->type) {
>> list_move_tail(&iter->list, &stack);
>> continue;
>> }
>> --
>> 2.20.1
>>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v3] iommu: fix KASAN use-after-free in iommu_insert_resv_region
2019-12-16 14:35 ` Auger Eric
@ 2019-12-16 17:03 ` Linus Torvalds
0 siblings, 0 replies; 5+ messages in thread
From: Linus Torvalds @ 2019-12-16 17:03 UTC (permalink / raw)
To: Auger Eric
Cc: Qian Cai, Andrew Morton, eric.auger.pro, Joerg Roedel,
Christoph Hellwig, iommu, Linux Kernel Mailing List
On Mon, Dec 16, 2019 at 6:36 AM Auger Eric <eric.auger@redhat.com> wrote:
>On 12/16/19 3:24 PM, Qian Cai wrote:
> >
> > Looks like Joerg is away for a few weeks. Could Andrew or Linus pick up this
> > use-after-free?
I've taken it.
> Note the right version to pick up is the v4, reviewed by Jerry:
> https://www.mail-archive.com/iommu@lists.linux-foundation.org/msg36226.html
Btw, please use lore.kernel.org, it's much more convenient for me
(faster, and a single interface for me so that I don't have to always
figure out "what's the incantation to get the original raw email" that
so many archives make it hard to get).
Linus
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-12-16 17:06 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-26 10:27 [PATCH v3] iommu: fix KASAN use-after-free in iommu_insert_resv_region Eric Auger
2019-11-26 17:19 ` Jerry Snitselaar
2019-12-16 14:24 ` Qian Cai
2019-12-16 14:35 ` Auger Eric
2019-12-16 17:03 ` Linus Torvalds
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).