[PATCH] platform/x86: dell-smbios-base: Fix use after free on failure of dell_smbios_init()

* [PATCH] platform/x86: dell-smbios-base: Fix use after free on failure of dell_smbios_init()
@ 2019-04-03 19:20 Steven Rostedt
  2019-04-03 20:15 ` Darren Hart
  0 siblings, 1 reply; 3+ messages in thread
From: Steven Rostedt @ 2019-04-03 19:20 UTC (permalink / raw)
  To: LKML, platform-driver-x86
  Cc: Darren Hart, Andy Shevchenko, Mario Limonciello, Pali Rohár,
	Tom Zanussi

From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>

If da_tokens are allocated, but dell_smbios_init() eventually fails, it will
free the da_tokens but it does not reset the da_num_tokens number. This
leads to the possibility of a use after free in dell_smbios_find_token().
As da_tokens is not NULL and da_num_tokens is set to something other than 0.

By reseting the da_num_tokens to zero, and da_tokens to NULL after it is
freed, then access into the other functions that reference them will not
read freed memory.

This was caught by a KASAN report:

==================================================================
BUG: KASAN: use-after-free in dell_smbios_find_token+0x2e/0x80 [dell_smbios]
Read of size 2 at addr ffff88840c2bc1a8 by task systemd-udevd/479

CPU: 0 PID: 479 Comm: systemd-udevd Not tainted 5.1.0-rc1+ #9
Hardware name: Dell Inc. XPS 13 9360/02PG84, BIOS 2.3.1 10/03/2017
Call Trace:
 dump_stack+0x7c/0xbb
 ? dell_smbios_find_token+0x2e/0x80 [dell_smbios]
 print_address_description+0xc7/0x280
 ? dell_smbios_find_token+0x2e/0x80 [dell_smbios]
 ? dell_smbios_find_token+0x2e/0x80 [dell_smbios]
 kasan_report+0x14e/0x192
 ? dell_smbios_find_token+0x2e/0x80 [dell_smbios]
 dell_smbios_find_token+0x2e/0x80 [dell_smbios]
 kbd_led_init+0x2e7/0x473 [dell_laptop]
 ? dmi_matched+0x2a/0x2a [dell_laptop]
 ? get_device_parent.isra.28+0x2a0/0x2a0
 ? lockdep_init_map+0x98/0x2c0
 ? platform_device_add+0x1b5/0x3a0
 dell_init+0x4ad/0xb63 [dell_laptop]
 ? kbd_led_init+0x473/0x473 [dell_laptop]
 ? ___slab_alloc+0x61f/0x700
 ? ___slab_alloc+0x61f/0x700
 ? preempt_count_sub+0x15/0x100
 ? kbd_led_init+0x473/0x473 [dell_laptop]
 do_one_initcall+0xbd/0x3fd
 ? perf_trace_initcall_level+0x280/0x280
 ? kasan_unpoison_shadow+0x30/0x40
 ? __kasan_kmalloc.constprop.8+0xa0/0xd0
 ? kmem_cache_alloc_trace+0x163/0x390
 ? kasan_unpoison_shadow+0x30/0x40
 do_init_module+0xe3/0x341
 load_module+0x2fc5/0x3ad0
 ? layout_and_allocate+0x1170/0x1170
 ? vfs_read+0xd4/0x1b0
 ? kernel_read+0x74/0xa0
 ? kernel_read_file+0x148/0x320
 ? seccomp_notify_release+0x110/0x110
 ? __do_sys_finit_module+0x192/0x1c0
 __do_sys_finit_module+0x192/0x1c0
 ? __ia32_sys_init_module+0x40/0x40
 ? syscall_trace_enter+0x184/0x5e0
 ? mark_held_locks+0x1a/0x90
 do_syscall_64+0x72/0x220
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fcb4f5f5a49
Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff
73 01 c3 48 8b 0d 0f b4 2c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffc73e340b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 00005599992bb850 RCX: 00007fcb4f5f5a49
RDX: 0000000000000000 RSI: 00007fcb4f2e11c5 RDI: 0000000000000010
RBP: 00007fcb4f2e11c5 R08: 0000000000000000 R09: 00005599992bb850
R10: 0000000000000010 R11: 0000000000000246 R12: 0000000000000000
R13: 0000559999298f40 R14: 0000000000020000 R15: 00005599992bb850

Allocated by task 479:
 __kasan_kmalloc.constprop.8+0xa0/0xd0
 krealloc+0xa0/0xc0
 0xffffffffc0cc0075
 dmi_decode_table+0xf6/0x140
 dmi_walk+0x46/0x70
 0xffffffffc0cc0109
 do_one_initcall+0xbd/0x3fd
 do_init_module+0xe3/0x341
 load_module+0x2fc5/0x3ad0
 __do_sys_finit_module+0x192/0x1c0
 do_syscall_64+0x72/0x220
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 479:
 __kasan_slab_free+0x111/0x150
 kfree+0xf5/0x350
 0xffffffffc0cc01d4
 do_one_initcall+0xbd/0x3fd
 do_init_module+0xe3/0x341
 load_module+0x2fc5/0x3ad0
 __do_sys_finit_module+0x192/0x1c0
 do_syscall_64+0x72/0x220
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88840c2bc1a8
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 0 bytes inside of
 2048-byte region [ffff88840c2bc1a8, ffff88840c2bc9a8)
The buggy address belongs to the page:
page:ffffea001030ae00 count:1 mapcount:0 mapping:ffff8884204113c0 index:0x0
compound_mapcount: 0
flags: 0x17ffffc0010200(slab|head)
raw: 0017ffffc0010200 ffffea0010367608 ffffea000ea31808 ffff8884204113c0
raw: 0000000000000000 00000000000d000d 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88840c2bc080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88840c2bc100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88840c2bc180: fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff88840c2bc200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88840c2bc280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Link: http://lkml.kernel.org/r/1553106560.2080.5.camel@gmail.com

Reported-by: Tom Zanussi <tzanussi@gmail.com>
Tested-by: Tom Zanussi <tzanussi@gmail.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
---
 drivers/platform/x86/dell-smbios-base.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/platform/x86/dell-smbios-base.c b/drivers/platform/x86/dell-smbios-base.c
index 0537d44d45a6..a74c0df25b15 100644
--- a/drivers/platform/x86/dell-smbios-base.c
+++ b/drivers/platform/x86/dell-smbios-base.c
@@ -625,6 +625,8 @@ static int __init dell_smbios_init(void)
 
 fail_platform_driver:
 	kfree(da_tokens);
+	da_tokens = NULL;
+	da_num_tokens = 0;
 	return ret;
 }
 
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread